[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL hashing schemes

Dan White wrote:

On 12/08/14 13:59 -0600, Dan White wrote:

On 12/08/14 20:41 +0100, Dieter Klünter wrote:

Hi,
RFC 5802 describe a Salted Challenge Response
Authentication Mechanism and RFC 5803 describes a schema for storing
salted challenge response mechanism secrets, which recommend a
authPassword attribute type and a salted hash and a hashing scheme as
attribute value.
It seems, that OpenLDAP doesn't know authPassword

ldapmodify -Y EXTERNAL -H ldapi:///
SASL/EXTERNAL authentication started
SASL username:
gidNumber=100+uidNumber=1000,cn=peercred,cn=external,cn=auth SASL SSF: 0
dn: cn=dieter kluenter,ou=partner,o=avci,c=de
changetype: modify
add: authPassword
authPassword: xxxxxxx

modifying entry "cn=dieter kluenter,ou=partner,o=avci,c=de"
ldap_modify: Undefined attribute type (17)
    additional info: authPassword: attribute type undefined

Although the SASL Mechanism is provided and known, but the attribute
userPassword maintains a plaintext value.

ldapwhoami -Y SCRAM-SHA-1 -U dieter -w xxxx-H ldapi:///
SASL/SCRAM-SHA-1 authentication started
SASL username: dieter
SASL SSF: 0
dn:cn=dieter kluenter,ou=partner,o=avci,c=de

It seems that SASl authentication only supports scram Mechanisms as
plaintext value.
Is there any intention to fully implement RFC 5802 and RFC 5803?


You could adapt this:

https://github.com/bindle/canned-openldap/blob/master/schema-custom/cmusasl.schema


There's no attribute for SCRAM in this schema, so it's not really relevant.


Also, it's cyrus sasl that is likely deciding which attribute to use.
You'll need to check it's source to verify if it supports authPassword.


The Cyrus SCRAM module checks for both userPassword and authPassword.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/