Hi,
My current LDAP setup uses SASL PTA to authenticate against Active Directory. For users only existing in OpenLDAP, I would use SASL SCRAM, so no passes over the wire except for these in AD ;-)
But I believe only 1 method can be used by SASL External? Any guidelines on configuring something as this? Do I really need the meta backend or is there a better way?
-- PieterB
On 05/16/12 11:47 +0200, Pieter Baele wrote:
Hi,
My current LDAP setup uses SASL PTA to authenticate against Active Directory. For users only existing in OpenLDAP, I would use SASL SCRAM, so no passes over the wire except for these in AD ;-)
For SASL SCRAM support, you'll need to compile the OpenLDAP server and client utilities against cyrus sasl 2.1.25. And/or you can use SSL/STARTTLS to protect the authentication exchange. SASL SCRAM requires that you perform SASL authentication from your LDAP clients, and not simple authentication.
An alternative to SCRAM that is supported in older versions of cyrus sasl is DIGEST-MD5.
But I believe only 1 method can be used by SASL External?
Neither pass-through authentication nor SCRAM really have anything to do with SASL EXTERNAL. SASL EXTERNAL might come into play if you're performing STARTTLS with client certificates.
Any guidelines on configuring something as this? Do I really need the meta backend or is there a better way?
Specifically with regards to SCRAM (or DIGEST-MD5), you will need to store your passwords in clear text. See:
http://www.openldap.org/lists/openldap-technical/201110/msg00168.html
The meta backend is not necessary to support either pass-through authentication nor local SCRAM authentication. In what scenario are you looking to use the meta backend?
openldap-technical@openldap.org
-
Dan White -
Pieter Baele