8 Dec
2014
8 Dec
'14
11:05 a.m.
Howard Chu wrote:
Michael Ströder wrote:
Howard Chu wrote:
Michael Ströder wrote:
- In case of SASL mechanisms which require 'userPassword' value(s) in clear
you would have to implement a reversible encryption password storage schema in an OpenLDAP overlay and adapt some other layer/components to correctly use it.
The SASL SCRAM mechanism works without a plaintext userPassword.
Yes, but AFAIK not the current cyrus-sasl implementation.
Hm, Cyrus-SASL 2.1.26 with SCRAM was released in 2012.
Digging into cyrus-sasl's git repo I find a commit which indicates that it's possible to store pre-hashed SCRAM secrets in authPassword. Is that supported by OpenLDAP?
Ciao, Michael.