[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: slurpd -d9 --- Invalid credentials
- To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Subject: Re: slurpd -d9 --- Invalid credentials
- From: Steven Wong <slqwong@yahoo.com>
- Date: Sun, 13 Aug 2006 09:42:08 -0700 (PDT)
- Cc: openLDAP software <openldap-software@OpenLDAP.org>
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=ic5xvX3oAHfOwnyfRze+cI4BQIZU8wIaJfcplGClUZ4Ur5pebz1OwYm76C4jjBryq2UD+dIlJQDjL6snFVZnYTcS0eH1lbWLMvq8YOu7BVbSKJMk30Pc7w9q+vZrpmQCmUAo3EEdEZIHZt+X1dvFbqUoOHCZqNl3M2llta084As= ;
- In-reply-to: <7.0.1.0.0.20060812112639.022fa830@OpenLDAP.org>
Thanks Kurt,
I just thought there was a way, since I saw some posting(s) on the web that have the credential={MD5}blah...
Or is that on older version(s) or different LDAP
Thanks,
Steven
----- Original Message ----
From: Kurt D. Zeilenga <Kurt@OpenLDAP.org>
To: Steven Wong <slqwong@yahoo.com>
Cc: openLDAP software <openldap-software@OpenLDAP.org>
Sent: Saturday, August 12, 2006 12:11:17 PM
Subject: Re: slurpd -d9 --- Invalid credentials
Let me repeat using different words which Howard and others have
already explained to you.
Password-based mechanisms require the client to knowledge of
the actual password. That password is either provided by a
human or read from a password store.
Hashed password stores are no useful to a client as they, by
design, don't provide access to actual password.
Encryption of the password store is pointless security wise.
The decryption key would have to protected as it were the
actual password.
No OpenLDAP client, including slurpd, supports encrypted passwords
stores.
sasldb is not actually an encrypted password store. It's a store
of actual passwords of multiple users. Access to sasldb should be
restricted to the few SASL servers that need access to it.
Kurt
At 04:14 PM 8/11/2006, Steven Wong wrote:
>My main point is to not have the passwd in "plain text" in my slapd.conf. I want to have it encrypted.
>I thought SASL would provide me with this facility, such that is would look at the /etc/sasldb file for it on the master, then with it, then send that/unencrypted to the slave ldap server for authentication.
>
>Or if this thought of mine is wrong, let me know what I need to do or correct to make it possible..
>
>Thanks,
>Steven
>
>----- Original Message ----
>From: Kurt D. Zeilenga <Kurt@OpenLDAP.org>
>To: Steven Wong <slqwong@yahoo.com>
>Cc: Howard Chu <hyc@symas.com>; Aaron Richton <richton@nbcs.rutgers.edu>; openLDAP software <openldap-software@OpenLDAP.org>
>Sent: Tuesday, August 8, 2006 12:28:33 PM
>Subject: Re: slurpd -d9 --- Invalid credentials
>
>At 11:54 AM 8/8/2006, Steven Wong wrote:
>> I was wondering if there are any Howto's for LDAP, SSL, with SASL, without Kerberos.
>
>The basic OpenLDAP SASL tutorial is:
> 1) get Cyrus SASL working first (using their client programs
> with service set to "ldap" and daemon name set to "slapd").
> (use Cyrus SASL mailing list to resolve issues)
> 2) then apply lessons learned in 1 to getting OpenLDAP working
>
>The basic OpenLDAP TLS/SSL tutorial is:
> 1) get OpenSSL working first (using s_server/s_client)
> (use OpenSSL list to resolve issues)
> 2) then apply lessons learned in 1 to getting OpenLDAP working
>
>-- Kurt