Kerberos and DIGEST-MD5

[Jose Gonzalez Gomez <jgonzalez@opentechnet.com>]

   Hi there,

   I've been searching the web and the mailing list for a solution to 
this but haven't been able to find an answer. Sorry if this has been 
answered before...

   I have managed to install an authentication server using mit-krb5 
1.3.3, cyrus-sasl 2.1.18 and openldap 2.1.26. Right now I'm able to 
authenticate any user on my network using pam/nss accessing Kerberos and 
OpenLDAP, so in order for an user to login she must have a corresponding 
Kerberos principal and a LDAP entry with objectClass=posixAccount (among 
others). I'm also able to authenticate to LDAP using GSSAPI/Kerberos, 
and simple BIND using {SASL}user@REALM in the userPassword attribute (as 
it seems that the {KERBEROS} way is deprecated) checking the password 
against saslauthd/Kerberos database.

   So what's the problem? It seems that to build a LDAPv3 compliant 
server I must provide DIGEST-MD5 authentication to the LDAP server, and 
this is what I don't know how to achieve in a clean manner. In order to 
have DIGEST-MD5 working I must have a clear text password stored 
somewhere (correct me if I'm wrong), but it seems that Kerberos doesn't 
have it, or I don't know how to use it in the DIGEST-MD5 authentication 
process. It seems that Cyrus SASL *does need* this password stored in 
its sasldb2 database to be able to successfully offer DIGEST-MD5, but 
this would mean that I'd have duplicated information and I'd have to 
sync both databases (Kerberos and SASL) whenever a password change 
occurs. So, am I missing anything here? Is there any clean solution for 
this?

   Thanks in advance, best regards
   Jose