Re: storing ldap passwords on HSM
Michael Ströder wrote:
Howard Chu wrote:
> Michael Ströder wrote:
>> 4. In case of SASL mechanisms which require 'userPassword' value(s) in
clear
>> you would have to implement a reversible encryption password storage schema in
>> an OpenLDAP overlay and adapt some other layer/components to correctly use it.
>
> The SASL SCRAM mechanism works without a plaintext userPassword.
Yes, but AFAIK not the current cyrus-sasl implementation.
Hm, Cyrus-SASL 2.1.26 with SCRAM was released in 2012.
Not to speak of lack of support by client implementations...
Any client that uses the Cyrus-SASL libraries should have support
without any extra effort. They may need tweaks to support channel
binding, but the basic authentication mech works.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/