[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP/SASL working only with unhashed passwords

Daniel Qarras <dqarras@yahoo.com> writes:

> Hi all,
> after spending several days fighting with OpenLDAP2.3/SASL setup I'm
> finally at point where both sample-client/server and ldapwhoami work
> for a user who's got his password stored in cleartext in LDAP's
> userPassword field. I'm using TLS and both PLAIN and DIGEST-MD5 work.
> However, for a user with his password stored as SSHA has in LDAP's
> userPassword neither of those work.
> It seems that DIGEST-MD5 can only work if both sides have access to the
> cleartext password, right? Thus, it was expected that DIGEST-MD5 can't
> work.
> But I'm out of clues with PLAIN (over TLS, using a self-signed
> certificate) as why it doesn't work for a user who's password is in
> SSHA. The users are testusers I entered, the ldif file used was 1:1,
> only the uids and passwords were different. I am still missing some
> basic principle of SASL or what's going on here?

Think twice!
This is not an OpenLDAP issue but a SASL issue, ask on a sasl
mailinglist how sasl machanisms are designed and how they retrieve


Dieter Klünter | Systemberatung