Re: Squirrelmail and Imap using SASL issue

From: Igor Brezac (no email)
Date: Wed May 18 2005 - 13:04:26 EDT

  • Next message: Igor Brezac: "Re: Configuring ldapdb"

    On Wed, 18 May 2005, Jason Walker wrote:

    >
    >
    > Igor Brezac wrote:
    >>
    >> On Wed, 18 May 2005, Jason Walker wrote:
    >>
    >>>
    >>>
    >>> Igor Brezac wrote:
    >>>
    >>>>
    >>>> On Tue, 17 May 2005, Jason Walker wrote:
    >>>>
    >>>>>
    >>>>>
    >>>>> Andreas Winkelmann wrote:
    >>>>>
    >>>>>> Am Tuesday 17 May 2005 18:56 schrieb Jason Walker:
    >>>>>>
    >>>>>>
    >>>>>>>> If you want to use more than one Domain-Part, saslauthd is not the
    >>>>>>>> right
    >>>>>>>> choice and you should use the sql Auxprop-Plugin. (This will
    >>>>>>>> unpatched
    >>>>>>>> only work with unencrypted Passwords).
    >>>>>>>
    >>>>>>>
    >>>>>>>
    >>>>>>> Why wouldn't saslauthd be the best way to do this? I am presently
    >>>>>>> trying
    >>>>>>
    >>>>>>
    >>>>>>
    >>>>>>
    >>>>>> Because of this Feature with the Domain Part in the Username. The
    >>>>>> Library will
    >>>>>> loose the part behind the @. If you use auxprop and in the case above
    >>>>>> the
    >>>>>> sql-Auxprop Plugin, the Username will arrive complete at the Backend.
    >>>>>>
    >>>>>> Another disadvantage is the limiting to plain and login if you want
    >>>>>> to use
    >>>>>> saslauthd. plain or login means the Password passes almost
    >>>>>> unencrypted the
    >>>>>> Line. You have to use TLS/SSL for security.
    >>>>>
    >>>>>
    >>>>>
    >>>>> I will be only offering PLAIN and LOGIN as AUTH types through the MTA.
    >>>>>
    >>>>>>
    >>>>>>> to setup an environment where saslauthd authenticates against
    >>>>>>> kerberos5
    >>>>>>> for users, so as far as I know this is the only way for Postfix or
    >>>>>>
    >>>>>>
    >>>>>>
    >>>>>>
    >>>>>> Client sends Username/Password in cleartext through the wire.
    >>>>>> saslauthd
    >>>>>> connects to Kerberos and verifies the Password.
    >>>>>>
    >>>>>>
    >>>>>>> cyrus-imap to use kerberos5. Is there a reason auxprop-plugin
    >>>>>>> would be
    >>>>>>> better, and will that work with kerberos5?
    >>>>>>
    >>>>>>
    >>>>>>
    >>>>>>
    >>>>>> GSSAPI uses the already issued Kerberos-Ticket. No Password crosses
    >>>>>> the Line.
    >>>>>>
    >>>>>
    >>>>> I won't be using GSSAPI at all. The clients I have to support are
    >>>>> Outlook and Outlook Express, so GSSAPI is not an option. I'll be using
    >>>>> TLS/SSL to secure it. In case you are wondering, yes I know I won't be
    >>>>> using kerberos to it's fullest in this instance. I am using kerberos
    >>>>> just as a central database for authentication, not for it's SSO (Single
    >>>>> Sign On) ability.
    >>>>>
    >>>>> Knowing this, what are my options? As best I can tell I'm still left
    >>>>> with saslauthd authenticating against kerberos
    >>>>>
    >>>>
    >>>> Why use kerberos as a user database? You have other and perhaps more
    >>>> flexible options such ldap and mysql.
    >>>>
    >>>
    >>> 2 reasons:
    >>>
    >>> 1) Kereberos does Authentication better than LDAP or MySQL. I wouldnt
    >>
    >>
    >> ldap (and mysql) does not authenticate.
    >
    > no, but you can have saslauthd authenticate against a mysql table/ldap
    > dn iirc

    Sure, some applications use ldap internal authentication system.

    My point is that ldap/mysql and kerberos are not designed for the same
    purpose.

    >>
    >>> want my company-wide passwords in a LDAP directory where everyone can
    >>> see it (I know you can setup ACLs but it's the wrong place for such
    >>> sensitive data)
    >>
    >>
    >> I disagree, but fair enough. (This is not the right place for this
    >> discussion)
    >>
    >>> 2) Eventually I'll be moving to use kerberos single signon. This is a
    >>> much more secure way of doing things than anything MySQL or LDAP could
    >>> offer. In addition kerberos is the only tool for this task available in
    >>> the free market (that I am aware of).
    >>>
    >>> As stated before, I want 1 user/pass database for everything. I'm tired
    >>> of having 5 different credentials for 5 different things.
    >>
    >>
    >> How are you going to support virtual domains with kerberos?
    >>
    > Kerberos isnt the problem, you can setup as many kerberos realms as you
    > want. The problem is in software using kerberos. Namely, if you have
    > something like saslauthd that strips the realm information from the

    saslauthd does not strip, libsasl does. Actually it passes username and
    realm as two separate tokens to saslauthd.

    > username, it won't work for more than one realm. That's actually why I'm
    > on this thread, because it was stripping the realm from the
    > authentication identity and frankly pissed me off :) I still don't
    > understand why the -r option was introduced to hack around the domain
    > stripping.

    As you say -r is really a quick hack, a better solution would be for each
    saslauthd mech to deal with username and realm tokens in their own way.

    This has been discussed before, you might want to search cyrus archives.

    -- 
    Igor
    

  • Next message: Igor Brezac: "Re: Configuring ldapdb"





    Hosted Email Solutions

    Invaluement Anti-Spam DNSBLs



    Powered By FreeBSD   Powered By FreeBSD