[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP, Kerberos not Compatible with DIGEST-MD5?

Jorge Diaz wrote:
Hi Everyone!
Thanks to Kurt D. Zeilenga for the help previosly. I have now other question about storing passwords.
I Have Kerberos 5 (Heimdal), and i could use GSSAPI and Simple Bind specifiying {SASL}user@realm and configuring saslauthd. So far... so good!
But i nedd DIGEST-MD5 to be LDAPv3 Fully Compatible! (I need Plain Text Passwords!) It is not a security problem? How could i enable DIGEST-MD5 and KERBEROS.... how i synchonized them? (Kerberos doesnt store plain text passwords and DIGEST-MD5 needs plain text)..... How to solve this dilema?

There is only one easy way to solve this problem: migrate the Heimdal KDC database into OpenLDAP slapd, so that the Kerberos keys are stored in each users' entry. Also load the smbk5pwd module (from contrib/slapd-modules). Then configure slapd's passwd-hash with both {KRB5KEY} and {CLEARTEXT} so that the plaintext and the Kerberos key are maintained.

This also means you must use the Cyrus auxprop mechanism, not saslauthd. (Which is a good idea anyway, the auxprop mechanism is the most efficient.)
Another question... How to implement DIGEST-MD5 without using sasldb backend? How to store directly passwords on LDAP userPassword attribute and implement DIGEST-MD5?
slapd will automatically search the user's LDAP entry for the userPassword and use it for SASL authentication, if you use the default settings (i.e., use auxprop, not saslauthd). For all other SASL-enabled servers you'll need the ldapdb module, which used to be in OpenLDAP contrib but is now part of Cyrus SASL.

 -- Howard Chu
 Chief Architect, Symas Corp.  http://www.symas.com
 Director, Highland Sun        http://highlandsun.com/hyc
 OpenLDAP Core Team            http://www.openldap.org/project/