[Date Prev][Date Next] [Chronological] [Thread] [Top]

SASL hashing schemes

To: OpenLDAP <openldap-technical@openldap.org>
Subject: SASL hashing schemes
From: Dieter Klünter <dieter@dkluenter.de>
Date: Mon, 8 Dec 2014 20:41:41 +0100
Organization: AVCI

Hi,
RFC 5802 describe a Salted Challenge Response
Authentication Mechanism and RFC 5803 describes a schema for storing
salted challenge response mechanism secrets, which recommend a
authPassword attribute type and a salted hash and a hashing scheme as
attribute value.
It seems, that OpenLDAP doesn't know authPassword

ldapmodify -Y EXTERNAL -H ldapi:///
SASL/EXTERNAL authentication started
SASL username:
gidNumber=100+uidNumber=1000,cn=peercred,cn=external,cn=auth SASL SSF: 0
dn: cn=dieter kluenter,ou=partner,o=avci,c=de
changetype: modify
add: authPassword 
authPassword: xxxxxxx

modifying entry "cn=dieter kluenter,ou=partner,o=avci,c=de"
ldap_modify: Undefined attribute type (17)
	additional info: authPassword: attribute type undefined

Although the SASL Mechanism is provided and known, but the attribute
userPassword maintains a plaintext value.

ldapwhoami -Y SCRAM-SHA-1 -U dieter -w xxxx-H ldapi:///
SASL/SCRAM-SHA-1 authentication started
SASL username: dieter
SASL SSF: 0
dn:cn=dieter kluenter,ou=partner,o=avci,c=de

It seems that SASl authentication only supports scram Mechanisms as
plaintext value.
Is there any intention to fully implement RFC 5802 and RFC 5803?

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Follow-Ups:
- Re: SASL hashing schemes
  - From: Dan White <dwhite@cafedemocracy.org>

Prev by Date: Re: manually editing LDIF files with schema
Next by Date: Re: SASL hashing schemes
Index(es):
- Chronological
- Thread