[Date Prev][Date Next]
Re: OpenLDAP/SASL working only with unhashed passwords
Daniel Qarras wrote:
after spending several days fighting with OpenLDAP2.3/SASL setup I'm
finally at point where both sample-client/server and ldapwhoami work
for a user who's got his password stored in cleartext in LDAP's
userPassword field. I'm using TLS and both PLAIN and DIGEST-MD5 work.
However, for a user with his password stored as SSHA has in LDAP's
userPassword neither of those work.
It seems that DIGEST-MD5 can only work if both sides have access to the
cleartext password, right? Thus, it was expected that DIGEST-MD5 can't
But I'm out of clues with PLAIN (over TLS, using a self-signed
certificate) as why it doesn't work for a user who's password is in
SSHA. The users are testusers I entered, the ldif file used was 1:1,
only the uids and passwords were different. I am still missing some
basic principle of SASL or what's going on here?
You can use saslauthd to authenticate PLAIN. I'm using
saslauthd/pam with libpam_ldap to to accomplish this during a
transition period where my passwords are hashed.
You'd need to set the pwcheck_method to include saslauthd in your
slapd.conf *sasl* config file to support it.