Re: Using SCRAM-SHA-1 and authPassword

[Howard Chu <hyc@symas.com>]

Michael Ströder wrote:
> Howard Chu wrote:
> > Michael Ströder wrote:
> > > Howard Chu wrote:
> > > > Michael Ströder wrote:
> > > > > 4. In case of SASL mechanisms which require 'userPassword' value(s) in clear
> > > > > you would have to implement a reversible encryption password storage
> > > > > schema in
> > > > > an OpenLDAP overlay and adapt some other layer/components to correctly use
> > > > > it.
> > > >
> > > > The SASL SCRAM mechanism works without a plaintext userPassword.
> > >
> > > Yes, but AFAIK not the current cyrus-sasl implementation.
> >
> > Hm, Cyrus-SASL 2.1.26 with SCRAM was released in 2012.
>
> Digging into cyrus-sasl's git repo I find a commit which indicates that it's
> possible to store pre-hashed SCRAM secrets in authPassword. Is that supported
> by OpenLDAP?

Not currently. The last time we discussed it, Kurt mentioned that the 
authPassword spec was a dead end and no one had implemented it.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/