[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: storing HA1 password hash for HTTP DIGEST, SIP, TURN

To: Daniel Pocock <daniel@pocock.pro>, openldap-technical@openldap.org
Subject: Re: storing HA1 password hash for HTTP DIGEST, SIP, TURN
From: Howard Chu <hyc@symas.com>
Date: Thu, 16 Jul 2015 12:09:24 +0100
Cc: michael@stroeder.com
In-reply-to: <55A77A66.70709@pocock.pro>
References: <55A379AC.90603@pocock.pro> <55A37EFF.6070602@stroeder.com> <55A386C5.5020201@pocock.pro> <55A77A66.70709@pocock.pro>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:40.0) Gecko/20100101 Firefox/40.0 SeaMonkey/2.37a1

Daniel Pocock wrote:



On 13/07/15 11:37, Daniel Pocock wrote:



On 13/07/15 11:03, Michael Ströder wrote:

Daniel Pocock wrote:

There are a few protocols that use a HA1[1] password hash, such as HTTP
DIGEST[1], SIP DIGEST[2] and TURN[3] (which uses HMAC rather than DIGEST)

Is there a standard LDAP attribute name for storing a HA1 value or
should it be stored in a regular userPassword attribute as described in
the manual[4]?


Do you want to use the LDAP server only as dumb password store or do you also
want to use this attribute for LDAP bind operation?


Good question

For the DIGEST and HMAC algorithms, the most interesting possibility
would be for OpenLDAP to perform validation:

1. HTTP server (or SIP proxy or whatever) creates a challenge header and
sends it to the end user
2. User responds with an authorization token
3. HTTP server gives a copy of the challenge and the response to the
OpenLDAP server
4. OpenLDAP gives a validation true/false response

In this case, clients can't read the HA1 from LDAP

Could that be done with a bind?  Does it have any performance impact
doing a bind or is there a more lightweight way to achieve this?

You can't pass all the necessary parameters (nonce, challenge, uri, etc.) tothe LDAP server using a Simple Bind request. But e.g. HTTP DIGEST is the sameas the SASL DIGEST-MD5 mechanism. You could pass thru the parameters from anLDAP SASL Bind request, with the HTTP (or whatever) server just acting as aMITM. Note that in that case, the LDAP server's SASL library generates thechallenge, the HTTP server must parse it and pass it on to the client.

There's no particular performance impact for Bind itself; whatever crypto theunderlying mechanism uses will have its own cost of course.

There is already a similar solution for RADIUS, rlm_digest
http://freeradius.org/radiusd/man/rlm_digest.txt

I'm just wondering if anybody can give any more feedback about this
issue before I look at coding anything for it?



--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

References:
- storing HA1 password hash for HTTP DIGEST, SIP, TURN
  - From: Daniel Pocock <daniel@pocock.pro>
- Re: storing HA1 password hash for HTTP DIGEST, SIP, TURN
  - From: Michael Ströder <michael@stroeder.com>
- Re: storing HA1 password hash for HTTP DIGEST, SIP, TURN
  - From: Daniel Pocock <daniel@pocock.pro>
- Re: storing HA1 password hash for HTTP DIGEST, SIP, TURN
  - From: Daniel Pocock <daniel@pocock.pro>

Prev by Date: Re: storing HA1 password hash for HTTP DIGEST, SIP, TURN
Next by Date: Re: How to import user certificates in OpenLDAP?
Index(es):
- Chronological
- Thread