Using SCRAM-SHA-1 and authPassword
Howard Chu wrote:
Michael Ströder wrote:
> Howard Chu wrote:
>> Michael Ströder wrote:
>>> 4. In case of SASL mechanisms which require 'userPassword' value(s)
in clear
>>> you would have to implement a reversible encryption password storage
>>> schema in
>>> an OpenLDAP overlay and adapt some other layer/components to correctly use
>>> it.
>>
>> The SASL SCRAM mechanism works without a plaintext userPassword.
>
> Yes, but AFAIK not the current cyrus-sasl implementation.
Hm, Cyrus-SASL 2.1.26 with SCRAM was released in 2012.
Digging into cyrus-sasl's git repo I find a commit which indicates that it's
possible to store pre-hashed SCRAM secrets in authPassword. Is that supported
by OpenLDAP?
Ciao, Michael.
Attachments:
- smime.p7s (application/pkcs7-signature — 4.2 KB)