From: Simon Matter (simon dot matter at ch dot sauter-bc dot com)
Date: Wed Jun 16 2004 - 08:39:41 EDT
> Igor Brezac wrote:
>>>>Only userPassword and cmusaslsecretMECHNAME properties can be
>>>>used for storing secrets.
>>>And userPassword must be the Cleartext-Password.
> So it's seems once again i'm running into a wall, I want to use the same
> password for all mail-related tasks (imap && smtp auth).
> Let's make a summary of my requirements then:
> 1) shell access, imap access and stmp auth for all users
no problem with userPassword as SSHA in LDAP
> 2) no single password transmittable in clear text
no problem with ssh, imap/tls, smtp/starttls does it, transport encryption
is the key here
> 3) either one single password for everything, or one for shell access
> and one for mail access (from the user point of view)
one password works fine
> 4) all password modifiable by the user directly
works fine too, every user is able to change his own password in ldap.
> In a previous incarnation, we had passwords stored in three different
> places (/etc/shadow for shell, imapdb for imap, sasldb for smtp auth),
> with only cram-md5 autentication allowed, filling requirements 1 and 2.
> 3 and 4 were only achievable by creating setuid front-ends for accessing
> imapdb and sasldb. So we switched to LDAP just to make all passwords
> stored in one place, thinking administration would be easier. However, I
> still didn't found a way to have both iamp and stmp auth use the same
> LDAP property with digest or cram-md5 autentication scheme.
> Can anyone suggest another setup ? We're not bound to courier-imap, nor
> to LDAP mandatorily, and 2) could also be achieved using clear-text
> autentication over crypted transport layer (see my other thread).
> Class schedules are designed so that every student will waste maximum
> time between classes.
> Corollary: When you are occasionally able to schedule two classes in a
> row, they will be held in classrooms at opposite ends of the campus.
> -- Laws of Class Scheduling n°2