Re: storing ldap passwords on HSM

Howard Chu wrote: > Michael Ströder wrote: >> Howard Chu wrote: >>> Michael Ströder wrote: >>>> 4. In case of SASL mechanisms which require 'userPassword' value(s) in clear >>>> you would have to implement a reversible encryption password storage >>>> schema in >>>> an OpenLDAP overlay and adapt some other layer/components to correctly use >>>> it. >>> >>> The SASL SCRAM mechanism works without a plaintext userPassword. >> >> Yes, but AFAIK not the current cyrus-sasl implementation. > > Hm, Cyrus-SASL 2.1.26 with SCRAM was released in 2012. > >> Not to speak of lack of support by client implementations... > > Any client that uses the Cyrus-SASL libraries should have support without any > extra effort. Hmm, some extra effort is needed in clients, especially when they have a UI or complex configuration. At a minimum you have to register a new SASL mech as being a password-based mech. You might have guessed: I've added SCRAM support to web2ldap right after SCRAM support appeared in cyrus-sasl release. > They may need tweaks to support channel binding, but the basic > authentication mech works. Yes, but how many clients provide the input form or configuration for choosing SCRAM?