--On Monday, October 29, 2007 11:45 PM +0000 russell-openldap(a)stuart.id.au
On Mon, 2007-10-29 at 18:07 +0100, Hallvard B Furuseth wrote:
> No, you've forced users who authenticate against userPassword
> to be encrypted. Not all SASL methods, nor auth with rootpw.
Thats a worry. Rootpw aside, the intended objective of
the ACL was to ensure passwords were never sent in the
clear. Either a protocol like CRAM-MD5 was used, or the
entire link is encrypted. Does it not do that? (Actually
it doesn't. It should have been sasl_ssf=71. But bugs
Secondly, just out of curiosity, are there SASL methods
that check a shared secret of some kind and don't use
userPassword? What are they?
Principal Software Engineer
Zimbra :: the leader in open source messaging and collaboration