[prev in list] [next in list] [prev in thread] [next in thread] 

List:       cyrus-info
Subject:    Best/Easiest method using encrypted password in MySQL DB
From:       dwhite () olp ! net (Dan White)
Date:       2010-01-30 4:51:10
Message-ID: 20100130045109.GB4842 () dan ! olp ! net
[Download RAW message or body]

On 29/01/10?19:00?-0800, Nybbles2Byte wrote:
> I don't think I can say much more than the title.  Cyrus seems to be running well \
> but I would like to have the password in the MySQL DB encrypted.  
> Does anyone have a "best way" of implementing that?
> 
> My only criteria is that Postfix looks up the same table for user info. so whatever \
> the implementation is Postfix has to be able to read/decrypt the encrypted password \
> as well.

There are a couple of options via saslauthd:

1) Have saslauthd use the PAM backend, and the pam_mysql module to perform
password verification.

2) Have saslauthd to use the PAM backend, and use the standard pam_unix
module along with an NSS mysql library which allows you to store
password/shadow information in mysql.

There may also be a way to authenticate against hashed auxprop attributes
in the upcoming sasl 2.1.24 release, but I don't have any examples of how
that will work (see the NEWS file in the 2.1.24rc1 release for more info).

You should be aware that any of these methods will disallow the use of SASL
security layers. You will need to use SSL/TLS or another external security
mechanism to protect the transmission of passwords over the network.

-- 
Dan White


[prev in list] [next in list] [prev in thread] [next in thread]