[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: storing ldap passwords on HSM

To: Howard Chu <hyc@symas.com>, lux-integ <lux-integ@btconnect.com>, openldap-technical@openldap.org
Subject: Re: storing ldap passwords on HSM
From: Michael Ströder <michael@stroeder.com>
Date: Mon, 08 Dec 2014 14:38:22 +0100
In-reply-to: <5485A706.2030803@symas.com>
References: <201412080813.25816.lux-integ@btconnect.com> <548574CB.3040705@stroeder.com> <5485A706.2030803@symas.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:29.0) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26.1

Howard Chu wrote:
> Michael Ströder wrote:
>> 4. In case of SASL mechanisms which require 'userPassword' value(s) in clear
>> you would have to implement a reversible encryption password storage schema in
>> an OpenLDAP overlay and adapt some other layer/components to correctly use it.
> 
> The SASL SCRAM mechanism works without a plaintext userPassword.

Yes, but AFAIK not the current cyrus-sasl implementation.
Not to speak of lack of support by client implementations...

Ciao, Michael.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Follow-Ups:
- Re: storing ldap passwords on HSM
  - From: Howard Chu <hyc@symas.com>

References:
- storing ldap passwords on HSM
  - From: "lux-integ" <lux-integ@btconnect.com>
- Re: storing ldap passwords on HSM
  - From: Michael Ströder <michael@stroeder.com>
- Re: storing ldap passwords on HSM
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: storing ldap passwords on HSM
Next by Date: Re: storing ldap passwords on HSM
Index(es):
- Chronological
- Thread