On 18.09.2011 14:36, Jacobus brogly.decap wrote:
No, encrypting passwords over the wire is somthing TOTALLY different and seperate from how they are stored on disk (in case you want to migrate
or
export) Dont solve 2 different problems at the same time,..I recommend you read chapter 2 of IBM redbook on LDAP.
My apologies for not being clear. Let me go back to the initial problem.
I have postfix, cyrus-imapd and openldap installed on a debian. I do not care about protecting passwords over the wire because I already use ldaps for all communications with slapd.
postfix and cyrus-imapd both use ldapdb plugins to verify users against slapd. ldapdb is configured to authenticate postfix and cyrus-imap with their own private users, and then a proxy authorization is performed to take the identify of the real users.
ex: postfix uses the user "postfixldap" and once authenticated, takes the identity of user "julien"
+--------+ +----------+ |postfix | | cyrus | +--------+ +--------+-+ | | proxy | |proxy ldapdb ldapdb | +-----------+ |user "cyrusldap" user | | slapd | | +------->user=julien<--------+ "postfixldap" | | +-----------+
This method is nice because it avoid having an additional software in between postfix and cyrus (pam-ldap or saslauthd). But the problem is that ldapdb requires to use DIGEST-MD5 and therefore to store the passwords in cleartext in the directory.
I'm looking for a solution to avoid storing the messages in cleartext. Is it possible while still using ldapdb in postfix and cyrus-imap ?
Julien
Julien Vehent wrote:
This method is nice because it avoid having an additional software in between postfix and cyrus (pam-ldap or saslauthd). But the problem is that ldapdb requires to use DIGEST-MD5 and therefore to store the passwords in cleartext in the directory.
ldapdb doesn't require any such thing. DIGEST-MD5 requires plaintext. If you don't want to store plaintext passwords, don't use DIGEST-MD5.
openldap-technical@openldap.org