[Date Prev][Date Next] [Chronological] [Thread] [Top]

LDAP and DIGEST-MD5 SASL - rfc2829

To: ietf-ldapext@netscape.com
Subject: LDAP and DIGEST-MD5 SASL - rfc2829
From: david.a.cahlander@syntegra.com
Date: Thu, 31 Aug 2000 17:44:07 -0500 (CDT)

Where do I store the credentials for DIGEST-MD5 in the directory?
(i.e. what attribute name)
Is READ access control needed for this attribute?

I'm trying to implement DIGEST-MD5 in an LDAP front-end to an X500 Directory.
I can't figure out what needs to be stored for credentials.  Thanks to
OpenLDAP, I have an ldapsearch that does the first part of the bind operation.
I have read RFC2829 and RFC2831 but find that I am at a loss to understand
how the very simple operation of authentication is performed.

>From RFC2829 section 6.1:

   The server will respond with a bind response in which the resultCode
   is either success, or an error indication.

I have no idea how this operation is performed.  RFC2831 does not seem to
give a clue about this either.  As near as I can tell, the LDAP server
is required to either use a separate file for authentication information
that contains:

    username
    MD5hash( username-value ":" realm-value ":" passwd )

or store this information in the directory entry for the user that is
trying to authenticate.  It is not clear which attribute this information
needs to be stored in or what access control is needed for this attribute.

The catch-22 comes from what I see as a very serious security violation
with any of the methods that can be used to implement this operation.
Since the user needs only the MD5hash value to authenticate, The MD5hash
value can be considered as a plaintext password.  (3,9 in /rfc2831)
In order to do the DIGEST-MD5 calulation, this attribute needs to be able
to be read.  This means that any administrator that has access to the
directory can read this password hash and use it to authenticate to the
directory as that user.

In an X500 situation, this attribute must be able to be read between two
DSAs.  A snoop on the line will reveal this password hash, the same as
being able to read a cleartext password.  At least with simple authentication
the only thing passed between the DSAs is a compare operation.

I'm sure that I'm missing something very basic.  With all the complexity
of the DIGEST-MD5 operation, I can't believe that it is so simple to
break the authentication operation.

Kurt Zeilenga indicated that openldap allowed cyrus to handle the password and
the authentication.  This would seem to work fine for a single directory on
a single machine, but it does not work with replicated directories.

Can someone shed some likght on this problem?

Thanks
---
David Cahlander David.A.Cahlander@syntegra.com 651-415-3171

Prev by Date: new co-chair for LDAPEXT
Index(es):
- Chronological
- Thread