Clarification of Cyrus-SASL, OpenLDAP and PAM

[cantao]

Hi Friends,

After reading and Googling a lot, I'm still kind of lost here (perhaps age coming? ).

I want to centralize services -- mostly authentication and hosts -- using OpenLDAP. I did that once a long time ago (OpenLDAP 2.1) half blinded, but now I want to do it properly, better yet if I actually *know* what I'm doing.

So, I need some clarifications:

1. How Cyrus-SASL, OpenLDAP and PAM relate? I know I can make OpenLDAP PAM-aware with pam_ldap and nss_ldap, but my readings make me think that I can use OpenLDAP straight with Cyrus-SASL.

2. What is the difference among ldaps://, TLS and Cyrus-SASL? How they correlate? What is "better" (note the quotes)?

3. Is Cyrus-SASL *really* necessary, or can I live happily *and* secure just with OpenLDAP and PAM?

4. How in the hell do I setup the cn=Manager account with the new slapd.d directory configuration format??? (OpenLDAP >= 2.3).

Any info that helps me sort out this mess will be greatly appreciated!

Thanks a lot, Cantão!

[aceFruchtsaft]

I've never understood where SASL fits in either. There does not seem to be decent documentation which describes the bigger picture, at least I did not find one some time ago.

However, as far as I see it you don't need SASL for most things anyway. PAM is an authentication framework with is supported by almost everything on Linux, so if you authenticate via PAM -> pam_ldap -> openldap you probably don't need SASL. I don't know if anything has changed with openldap 2.4 as I am still running openldap 2.3.x on both of my servers.

BTW, I'd rather say that pam_ldap and nss_ldap make PAM and the NSS openldap-aware, not the other way round.

Regarding the difference between ldaps:// and TLS: You run ldaps on a separate port (636 IIRC) and this supports only SSL-encrypted communication. That is the "old way" of doing things. With TLS, you can use the standard port (389) for both encrypted and unencrypted connections. If a client supports TLS, it will initiated an encrypted connection on port 389, so this is more flexible.

[cantao]

Hi aceFruchtsaft!

Thanks for your prompt response!

Yes, I guess the greatest problem is the big picture. I know PAM talks to OpenLDAP through pam_ldap, but also knows that Cyrus-SASL and OpenLDAP talk to each other. On the other hand, Cyrus-SASL *also* talks to PAM. Cyrus-SASL can use its own database, or use OpenLDAP. Eveybody talks to everybody in every possible way. In the end, I am completely unable to know how the information flows from "login + password" to full authentication.

Talking about "old ways" of doing things, do you have any good documentation (ok, perhaps not so good, but understandable) on the new "cn=config" paradigm? Slapd.conf probably will be deprecated, so it is good to have a clean and correct start.

Thanks a lot, Cantão!

[aceFruchtsaft]

[cantao]

Good. As soon as I sort out the "cn=config" stuff, I'll post it here to help other OpenLDAP suferers

Thanks a lot again, Cantão!

[cach0rr0]

If you're going to use OpenLDAP for management of auth, servers, e-mail, etc, then IMHO having SASL is redundant.
Someone else may point out a benefit to me, but I personally see none.

SSH logins can be managed with ldap, email addresses can be managed with ldap, things like postfix and apache can query ldap without a need for SASL.

I guess I'm somewhat in the same boat, and don't see how SASL ties in or why it would even be needed.

[cantao]

That's exactly what I plan to use OpenLDAP for. I guess is bye, bye SASL...

Thanks for the answer cach0rr0! (Off topic: do you know what your nick means in Portuguese?)

[cach0rr0]

[cach0rr0]

I would recommend confirming what I've said with another source.
I know that SASL can use LDAP as its backend - what I'm looking for now so I can help answer you is information on whether or not ESMTP authentication can function using LDAP only, without SASL in the picture

That is the only piece I can see that might require sasl - and I'm not entirely sure why

[aceFruchtsaft]

[cach0rr0]

I'm not terribly concerned with allowing plaintext auth, as I only allow auth over a TLS-enabled socket.
Most all clients support both plain auth, and SMTP over TLS, so that's good enough for me

My aim is to have postfix be able to talk to LDAP for ESMTP auth *without* a requirement of SASL. I don't know if this is possible or not - it would seem silly that that's a requirement though, an unnecessary middle man; authenticating to an authenticator who then authenticates you against LDAP? silliness!

[aceFruchtsaft]

[cantao]

Hi!

I guess that for a while I´ll go with OpenLDAP + PAM + TLS. It seems reasonably simple and that way I can at least see part of the big picture. As cach0rr0 said, way so many authenticators? (SASL <-> OpenLDAP <-> PAM <-> Whatever!)

Of course, let's keep the discussion open so other contributors with different experiences can help!

Thanks a lot, Cantão!