[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL and non-cleartext passwords storage

To: "Jacobus brogly.decap" <jacobusbogers@gmail.com>
Subject: Re: SASL and non-cleartext passwords storage
From: Julien Vehent <julien@linuxwall.info>
Date: Sun, 18 Sep 2011 15:22:02 -0400
Cc: Openldap technical <openldap-technical@openldap.org>
Dkim-signature: v=1; a=rsa-sha256; c=relaxed; d=linuxwall.info; h= mime-version:content-type:content-transfer-encoding:date:from:to :cc:subject:in-reply-to:references:message-id; s=lnw-dkim; bh=ef H9HcWqKoMpC4ry5kLQWdB9gKJ2K6e0do/qAzvoxX0=; b=Xu8AGAG/zedwWsw0Bf cS7+jHmDnRDFiuunJNJdkkI2egxIsyzIXsSWUKWww30ZVBNPDbrm+kxqVMwng8k0 MD+NSX4x0i57f/aQGzvumyl5BD3ND+bQxMo8gR5ItTutBb9F4W6kJ7P/FbKaAz98 10yQZMTgt7cEYzf3u0WgV5B7s=
In-reply-to: <CAO+ERrB+=zEayPP9dYvhZKmyd4g1gGFxEqgUAbFSYDvdD8b7sw@mail.gmail.com>
Organization: linuxwall.info
References: <fb7bbb66233b24a6781ff4568ee8327b@linuxwall.info> <CAO+ERrCp09KGRxkmJ6g-4in_n8wgg4ZUWzx6kDEG3fOeOkDx5w@mail.gmail.com> <e33921bfcf6e63138604c89cd6c9d34d@linuxwall.info> <CAO+ERrB+=zEayPP9dYvhZKmyd4g1gGFxEqgUAbFSYDvdD8b7sw@mail.gmail.com>
User-agent: Linuxwall Roundcube Webmail/0.6-svn

On 18.09.2011 14:36, Jacobus brogly.decap wrote:

No, encrypting passwords over the wire is somthing TOTALLY differentandseperate from how they are stored on disk (in case you want tomigrate

or

export)
Dont solve 2 different problems at the same time,..I recommend youread
chapter 2 of IBM redbook on LDAP.

My apologies for not being clear. Let me go back to the initialproblem.

I have postfix, cyrus-imapd and openldap installed on a debian. I donot care about protecting passwords over the wire because I already useldaps for all communications with slapd.

postfix and cyrus-imapd both use ldapdb plugins to verify users againstslapd. ldapdb is configured to authenticate postfix and cyrus-imap withtheir own private users, and then a proxy authorization is performed totake the identify of the real users.

ex: postfix uses the user "postfixldap" and once authenticated, takesthe identity of user "julien"


        +--------+          +----------+
        |postfix |          | cyrus    |
        +--------+          +--------+-+
        |                            |
  proxy |                            |proxy ldapdb
ldapdb  |       +-----------+        |user "cyrusldap"
 user   |       |  slapd    |        |
        +------->user=julien<--------+
"postfixldap"   |           |
                +-----------+

This method is nice because it avoid having an additional software inbetween postfix and cyrus (pam-ldap or saslauthd). But the problem isthat ldapdb requires to use DIGEST-MD5 and therefore to store thepasswords in cleartext in the directory.

I'm looking for a solution to avoid storing the messages in cleartext.Is it possible while still using ldapdb in postfix and cyrus-imap ?



Julien

Follow-Ups:
- Re: SASL and non-cleartext passwords storage
  - From: Howard Chu <hyc@symas.com>

References:
- SASL and non-cleartext passwords storage
  - From: Julien Vehent <julien@linuxwall.info>
- Re: SASL and non-cleartext passwords storage
  - From: Julien Vehent <julien@linuxwall.info>

Prev by Date: Re: SASL and non-cleartext passwords storage
Next by Date: Re: SASL and non-cleartext passwords storage
Index(es):
- Chronological
- Thread