[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Security [auf Viren überprüft]

To: openldap-software@OpenLDAP.org
Subject: Re: Security [auf Viren überprüft]
From: "Dieter Kluenter" <dieter@dkluenter.de>
Date: Tue, 01 Feb 2005 17:25:44 +0100
In-reply-to: <41FF8EFF.2050609@ofd-sth.niedersachsen.de> (Hans Moser's message of "Tue, 01 Feb 2005 15:15:27 +0100")
Organization: AVCI
References: <41FF8EFF.2050609@ofd-sth.niedersachsen.de>
User-agent: Gnus/5.1002 (Gnus v5.10.2) XEmacs/21.4 (Rational FORTRAN, linux)

Hans Moser <hans.moser@ofd-sth.niedersachsen.de> writes:

> Hi!
>
> To prevent sniffing clear text passwords there are a few methods
> available with OpenLDAP. Which of them are useful, when OpenLDAP will
> be used especially with Postfix und Cyrus IMAPd? I don't want to store
> authentification data elsewhere than in LDAP (i.e. no sasldb2).

If you only store identities and password in a directory and postfix and
imapd reside on the same host, transport could be done via local
sockets, that is ldapi, in addition to a shared secret challenge. 
You may use the sasl auxiliary property plugin ldapdb to authenticate
Users against a directory. But I must admit, that I only got postfix
working, using ldapdb, cyrus-imapd refused so far.

> The "easiest" way may be server-side encrytion with TLS. STARTTLS
> works before the bind operation, so even simple bind clear text
> passwords are encrypted. Am I right?

Yes

> To use CRAM-MD5 or DIGEST-MD5-mech need plain text passwords in the
> userpasswd-attribut to create the challenge. Is that true?

Yes, but the attribute can be protected by means of access rules.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://www.dkluenter.de
GPG Key ID:01443B53

References:
- Security [auf Viren überprüft]
  - From: Hans Moser <hans.moser@ofd-sth.niedersachsen.de>

Prev by Date: Re: installing overlays?
Next by Date: Re: Security [auf Viren überprüft]
Index(es):
- Chronological
- Thread