Michael Ströder wrote:
Howard Chu wrote:
> Michael Ströder wrote:
>> Howard Chu wrote:
>>> Michael Ströder wrote:
>>>> 4. In case of SASL mechanisms which require 'userPassword'
value(s) in clear
>>>> you would have to implement a reversible encryption password storage
>>>> schema in
>>>> an OpenLDAP overlay and adapt some other layer/components to correctly
>>> The SASL SCRAM mechanism works without a plaintext userPassword.
>> Yes, but AFAIK not the current cyrus-sasl implementation.
> Hm, Cyrus-SASL 2.1.26 with SCRAM was released in 2012.
>> Not to speak of lack of support by client implementations...
> Any client that uses the Cyrus-SASL libraries should have support without any
> extra effort.
Hmm, some extra effort is needed in clients, especially when they have a UI or
complex configuration. At a minimum you have to register a new SASL mech as
being a password-based mech.
You might have guessed: I've added SCRAM support to web2ldap right after SCRAM
support appeared in cyrus-sasl release.
> They may need tweaks to support channel binding, but the basic
> authentication mech works.
Yes, but how many clients provide the input form or configuration for choosing
Given that Cyrus-SASL has a listmechs() API, I don't see why a client
would ever have a hardcoded list of supported mechanisms. But OK, that's
a topic for another time and place.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/