[KLUG Members] SASL

Adam Williams members@kalamazoolinux.org
18 Dec 2002 14:50:32 -0500
Previous message: [KLUG Members] SASL
Next message: [KLUG Members] SASL
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
>Hmm.... 'sasl_auxprop_plugin: sasldb' directly:
>Dec 17 23:49:09 grimace cyrus/imapd[1559]: starttls: TLSv1 with cipher DES-CBC3-SHA (168/168 bits new) no authentication
>Dec 17 23:49:12 grimace cyrus/imapd[1559]: login: localhost[127.0.0.1] peter DIGEST-MD5+TLS User logged in
>That worked against /etc/sasldb2 with PLAIN turned off, but trying to

Right, that's SASL the easy way.

>use 'saslauthd -a ldap' didn't until I created the deprecated

Deprecated?  Or created?

>'/usr/etc/saslauthd.conf':
>ldap_servers: ldap://localhost:389
>ldap_search_base: dc=killdevil,dc=org
>ldap_scope: sub

Right,  saslauthd currently can't do magickal self configuration via DNS
SRV. :(

>Dec 17 23:56:48 grimace cyrus/imapd[1646]: starttls: TLSv1 with cipher DES-CBC3-SHA (168/168 bits new) no authentication
>Dec 17 23:56:51 grimace cyrus/imapd[1646]: login: localhost[127.0.0.1] peter plaintext+TLS
>That works only with PLAIN set on.

Ah.

>Does it matter how LDAP or /etc/shadow stores the passwords? 

It depends a little.  If your using an "account" objectclass, the
"userpassword" attribute (usually presented as MIME encoded) contains a
specifier for the type of encryption.

{crypt}H*D(@#HH(@*HD)(@HD*
{md5}#@YF*(HN#D(*#DHDKKL#H*D
{sha}LFK)*(#JHDC*J#*(H(F(##
etc....

>Should it be MD-5, and do you have to specify that for either one?

One of what?

The LDAP server (slapd, yes?) performs password encryption, as specified
in the "userpassword" attribute, and compares the password you sent to
the password stored in "userpassword".  So for simple binds, yes, the
DSA has to have the clear text password.  But it isn't really clear text
if your using LDAP TLS.

But, but but....

OpenLDAP itself supports SASL. I know, your jumping up and down saying
"Yes! Yes! I can finally add yet another layer to my labyrinthine
masterpiece!"

With Kerberos V for instance, one adds 
sasl-realm             WHITEMICE.ORG
sasl-host              kdc.whitemice.org
sasl-secprops          none
srvtab              	/etc/openldap/ldap.keytab
to slapd.conf.  Then, assuming OpenLDAP was compiled properly, has
supporting Kerberos V service credentials, the global krb5.conf file is
correct, the clocks between the DSA host and the KDE host are in sync,
and the KDC is available (whew....) authentication for a bind is passed
on to the GSS API of SASL.  An account is expected to be an objectclass
of kerberosSecurityObject which contains (optionally) as krbName
attribute that contains the object's authentication principle,
"awilliam@WHITEMICE.ORG" for example. 

A similair arrangement should be possible with any SASL method, shared
secrets (sasldb2, etc..) or what not.  But I've seen no documentation on
the sasl-* parameters to do so until the recent publication of
http://www.openldap.org/doc/admin/sasl.html

>Or am I being a butthead and should just pump PAM through LDAP? 

I'm a PAM fan, so I'm biased.  On the PAM part, not the butthead part, 
on that I'm entirely open minded.

>It seems silly to have a working technology like MD-5 and not use it.

It depends on what you mean by "using it".  You can encrypt your
password in LDAP as MD5 strings,  but you do need to send a clear text
(albeit inside TLS) in order to perform verification.  But there is a
section in the admin/sasl.html document that discusses direct use of
DIGEST MD5 with the DSA.
Previous message: [KLUG Members] SASL
Next message: [KLUG Members] SASL
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]