Re: Why ldap sasl digest-md5 only works for clear password?

[Tony Earnshaw <tonni@billy.demon.nl>]

På ty , 29/04/2003 klokka 21:05, skreiv Ming Deng:

> I assume "the server" you talked about is slapd, since I don't even
> have to run saslauthd for those authentication actions. How can I make
> slapd know the key you mentioned about?

I'm barging in, hope Michael doesn't mind. The mechanism is described in
rfc2829, which should be in the the Openldap 2.1 distros.

You don't need saslauthd. The password has to be plain, since the server
calculates a hash of the password, sends a token based on this to the
client and the client has to send the correct hash based on the token
back. So they both have to be capable of DIGEST-MD5 protocol. If
passwords were encrypted, this would be very difficult for the client.
Passwords are never sent over the network.

If you keep the slapd database (as well as any slapcat'ted ldifs) read
denied for everyone but the slapd user, then there's no security
problem.

I use CRAM-MD5 (nearly the same) together with TLS for ldap-based mail
server authentication.

Best,

Tony

-- 
Tony Earnshaw

Do not come to visit me with both arms the same length.

e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl

Tony Earnshaw