Howard Chu wrote:
Michael Ströder wrote:
Howard Chu wrote:
Michael Ströder wrote:
- In case of SASL mechanisms which require 'userPassword' value(s) in clear
you would have to implement a reversible encryption password storage schema in an OpenLDAP overlay and adapt some other layer/components to correctly use it.
The SASL SCRAM mechanism works without a plaintext userPassword.
Yes, but AFAIK not the current cyrus-sasl implementation.
Hm, Cyrus-SASL 2.1.26 with SCRAM was released in 2012.
Not to speak of lack of support by client implementations...
Any client that uses the Cyrus-SASL libraries should have support without any extra effort.
Hmm, some extra effort is needed in clients, especially when they have a UI or complex configuration. At a minimum you have to register a new SASL mech as being a password-based mech.
You might have guessed: I've added SCRAM support to web2ldap right after SCRAM support appeared in cyrus-sasl release.
They may need tweaks to support channel binding, but the basic authentication mech works.
Yes, but how many clients provide the input form or configuration for choosing SCRAM?
Ciao, Michael.