Re: storing ldap passwords on HSM

8 Dec 2014


      Michael Ströder wrote:
...
Howard Chu wrote:
...
Michael Ströder wrote:
...

In case of SASL mechanisms which require 'userPassword' value(s) in clear

you would have to implement a reversible encryption password storage schema in
an OpenLDAP overlay and adapt some other layer/components to correctly use it.
The SASL SCRAM mechanism works without a plaintext userPassword.
Yes, but AFAIK not the current cyrus-sasl implementation.
Hm, Cyrus-SASL 2.1.26 with SCRAM was released in 2012.
...
Not to speak of lack of support by client implementations...
Any client that uses the Cyrus-SASL libraries should have support 
without any extra effort. They may need tweaks to support channel 
binding, but the basic authentication mech works.
-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Re: storing ldap passwords on HSM