Re: SASL/DIGEST-MD5 Question

[Tony Earnshaw <tonni@billy.demon.nl>]

man, 2003-01-06 kl. 22:07 skrev MacLellan, Scott:

> I am working on setting up authentication with OpenLDAP using
> SASL/DIGEST-MD5.  I am using a simple Java/JNDI program to
> authenticate with the server and everything works fine. My question,
> however, revolves around why the server stores the passwords on the
> server in clear text.  Is there a way to tell OpenLDAP to encrypt the
> password so that an admin cannot easily read it?  I hope I am missing
> something simple.

The way I understand it, is that both CRAM-MD5 and DIGEST-MD5 servers
send tokens to the client based on the client's password. The client
does a calculation based on his own password and sends the result back.
Since the server cannot decrypt an encrypted password, if it were stored
encrypted the token would be wrongly interpreted by the client.

In principle I agree. My smtp server does ldap-based CRAM-MD5
authentication for some clients, the passwords are stored in clear text
on the ldap server. The only way of securing these, is to make sure only
root, the ldap user or the mail server (the last wo without login
access) has access to passwords on the ldap server.

Best,

Tony
 
-- 

Tony Earnshaw

When all's said and done ...
there's nothing left to say or do.

e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl