Re: SASL and non-cleartext passwords storage

[Julien Vehent <julien@linuxwall.info>]

On 18.09.2011 12:30, Jacobus brogly.decap wrote:

> Sure, just choose "a schema" there are many hashes to choose from
> SHA1-SHA2, MD5 etc...you can look it up in the admin guide on the
> openldap.org [2] website...setting it up is really trivial!


How is this going to work with proxy authorization ?
the ldapdb auxprop plugin in postfix doesn't work with hash passwords. 
Should I go back to using saslauthd ?




> 2011/9/18 Julien Vehent
>
> > Hi List,
> >
> > I'm working on a setup where postfix and cyrus-imap do proxy
> > authorization against openldap (my setup is here http://1nw.eu/!cD 
> > [1]
> > ). I love this solution, it's a lot more elegant that using 
> > saslauthd.
> > But I'm concerned about passwords stored in cleartext, as required 
> > by
> > DIGEST-MD5.
> >
> > I know of the many ways to protect the data stored in openldap (file
> > system encryption, etc...), but if somebody gets a root access,
> > passwords will be disclosed, and I want to prevent that.
> >
> > My question is: Is there a way to use hashed passwords with sasl and
> > proxy authorization ?
> >
> > Thanks,
> > Julien



Links:
------
[1] http://1nw.eu/!cD
[2] http://openldap.org
[3] mailto:julien@linuxwall.info