| 1 |
Chris S wrote: |
| 2 |
|
| 3 |
> When I couldn't get LDAP to work with SASL originally I decided not to |
| 4 |
> use it (as I figured I use SSL anyway), and so I built openldap with |
| 5 |
> USE="-sasl" and it built and worked just fine without passing -x (with |
| 6 |
> MD5 crypt password). |
| 7 |
This is crazy ;) |
| 8 |
|
| 9 |
|
| 10 |
>> It's mostly a security layer and apart from the security layer plugins |
| 11 |
>> you'll have some for persistent storage like mysql, ldap and sasldb. It |
| 12 |
>> wouldn't make much sense without storing passwords somewhere right? |
| 13 |
>> |
| 14 |
>> |
| 15 |
> Forgive my ignorance, so you are suggesting that you should use SASLDB |
| 16 |
> to hold your "Manager" account for configuring LDAP? |
| 17 |
Depends ;) |
| 18 |
|
| 19 |
> Then use LDAP for everything else? I don't know where the "Manager" |
| 20 |
> account is actually stored if you don't use SASL under LDAP so I guess |
| 21 |
> this makes sense (but probably not!!). This would then also utilise the |
| 22 |
> security sasl authentication has to offer. I guess I don't quite |
| 23 |
> understand how you use SASL without a SASL db, hence the question in my |
| 24 |
> original email. |
| 25 |
You have to be clear about the terms account, user, DN, etc. Your |
| 26 |
"manager" from slapd.conf is a DN. The LDAP server knows about and it |
| 27 |
also knows about the password so it can check your *simple_binds*. |
| 28 |
simple_binds are performed with DNs and passwords which are passed to |
| 29 |
the server over the network, SASL binds however are mostly shared secret |
| 30 |
mechs or OTP,GSSAPI. There is no DN but a SASL user and no password but |
| 31 |
a challenge-response auth scheme. If you do a SASL bind you are actually |
| 32 |
interacting with the sasl library which in turn have to get the password |
| 33 |
somewhere to validate your challenge. |
| 34 |
There are mechanisms to map you sasl user to a LDAP DN after a |
| 35 |
successfull SASL bind (sasl-regexp in slapd.conf), as well as using the |
| 36 |
ldap server as a password backend for the SASL library (ldapdb). |
| 37 |
> |
| 38 |
> maybe I should just stick to mysql ;) |
| 39 |
Yes maybe. As my thread a few days ago showed you can use either. It |
| 40 |
mostly depends on what clients you have (e.g. Address books for outlook, |
| 41 |
thunderbird wouldn't work that good with mysql ; DISCLAIMER: This |
| 42 |
doesn#t mean it is easy with LDAP because both outlook and thunderbird |
| 43 |
have different assumtions how the DIT should look like and the |
| 44 |
programmers where so brain dead(sorry) to hardcode this) |
| 45 |
|
| 46 |
cheers |
| 47 |
Paul |
| 48 |
|
| 49 |
-- |
| 50 |
gentoo-server@g.o mailing list |
Archives