On Tue, Dec 09, 2008 at 01:57:43PM +0100, Thomas Siebert wrote:
That works but has 3 main drawbacks:
- It is a pain to setup SSL LDAP on both windows and linux. If you don't do this then it is massively insecure
Agreed, if you don't it is massively insecure. But I don't see why it should be that complicated. For the ADS, Microsoft gives advice: http://support.microsoft.com/kb/321051
...and for Linux, there are tons of tutorials.
Right, it isn't impossible, but setting up a CA, generating certs, installing them and enabling the magic feature (on all your ADS servers) is much more work than setting up winbind :)
- Passwords must be exchanged in plain text over IMAP. Also no single sign on capabilities.
Agreed there's no single sign on. But for plain text password exchange, there's no drawback when you use IMAPS or POP3S. And you should always do so.
Well, the security advantage to all the hashing schemes is that a compromise of your imap server does not result in a plain text password disclosure for all users.
For load balancing, it should be possible to use a round-robin DNS server instead. And you forget that the numbers of LDAP queries will be doubled as there's no possibility to use userdb prefetch.
I looked at load balancing with SSL LDAP once and rapidly ran into trouble with certificate validation issues. The SSL certs in the ADS should have unique machine names which was incompatible with a DNS round robin. The new SRV record processing code in openldap is supposed to avoid that problem though.
Also, winbind doesn't actually authenticate over ldap, it uses a much lower overhead UDP protocol...
Once you no longer need to do authentication over ldap it becomes possible to maintain a long term kerberdized LDAP session for user database queries if you need that (though I suppose dovecot cannot do that today).. Removing the per-user SSL setup cost would easially gain back any overheads from even the most expensive authentication operation that winbind does..
Heck, even being able to do a root-owned kerberdized LDAP query would be a nice dovecot feature for ADS integration since it removes the need for SSL setup entirely. Once samba joins an ADS domain root has access to the host$ ticket and can do secured ldap queries using the machine account.
Jason