--On Monday, October 29, 2007 11:45 PM +0000 russell-openldap@stuart.id.au wrote:
On Mon, 2007-10-29 at 18:07 +0100, Hallvard B Furuseth wrote:
No, you've forced users who authenticate against userPassword to be encrypted. Not all SASL methods, nor auth with rootpw.
Thats a worry. Rootpw aside, the intended objective of the ACL was to ensure passwords were never sent in the clear. Either a protocol like CRAM-MD5 was used, or the entire link is encrypted. Does it not do that? (Actually it doesn't. It should have been sasl_ssf=71. But bugs aside ...)
Secondly, just out of curiosity, are there SASL methods that check a shared secret of some kind and don't use userPassword? What are they?
GSSAPI
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration