Re: SASL AD + SASL SCRAM

[Dan White <dwhite@olp.net>]

On 05/16/12 11:47 +0200, Pieter Baele wrote:
> Hi,
>
> My current LDAP setup uses SASL PTA to authenticate against Active Directory.
> For users only existing in OpenLDAP, I would use SASL SCRAM, so no
> passes over the wire except for these in AD ;-)

For SASL SCRAM support, you'll need to compile the OpenLDAP server and
client utilities against cyrus sasl 2.1.25. And/or you can use SSL/STARTTLS to
protect the authentication exchange. SASL SCRAM requires that you perform
SASL authentication from your LDAP clients, and not simple authentication.

An alternative to SCRAM that is supported in older versions of cyrus sasl
is DIGEST-MD5.

> But I believe only 1 method can be used by SASL External?

Neither pass-through authentication nor SCRAM really have anything to do
with SASL EXTERNAL. SASL EXTERNAL might come into play if you're performing
STARTTLS with client certificates.

> Any guidelines on configuring something as this? Do I really need the
> meta backend or is there a better way?

Specifically with regards to SCRAM (or DIGEST-MD5), you will need to store
your passwords in clear text. See:

http://www.openldap.org/lists/openldap-technical/201110/msg00168.html

The meta backend is not necessary to support either pass-through
authentication nor local SCRAM authentication. In what scenario are you
looking to use the meta backend?

--
Dan White