Howard Chu wrote: > Michael Ströder wrote: >> Howard Chu wrote: >>> Michael Ströder wrote: >>>> 4. In case of SASL mechanisms which require 'userPassword' value(s) in clear >>>> you would have to implement a reversible encryption password storage >>>> schema in >>>> an OpenLDAP overlay and adapt some other layer/components to correctly use >>>> it. >>> >>> The SASL SCRAM mechanism works without a plaintext userPassword. >> >> Yes, but AFAIK not the current cyrus-sasl implementation. > > Hm, Cyrus-SASL 2.1.26 with SCRAM was released in 2012. Digging into cyrus-sasl's git repo I find a commit which indicates that it's possible to store pre-hashed SCRAM secrets in authPassword. Is that supported by OpenLDAP? Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature