Re: Using SCRAM-SHA-1 and authPassword
Michael Ströder wrote:
Howard Chu wrote:
> Michael Ströder wrote:
>> Howard Chu wrote:
>>> Michael Ströder wrote:
>>>> 4. In case of SASL mechanisms which require 'userPassword'
value(s) in clear
>>>> you would have to implement a reversible encryption password storage
>>>> schema in
>>>> an OpenLDAP overlay and adapt some other layer/components to correctly
use
>>>> it.
>>>
>>> The SASL SCRAM mechanism works without a plaintext userPassword.
>>
>> Yes, but AFAIK not the current cyrus-sasl implementation.
>
> Hm, Cyrus-SASL 2.1.26 with SCRAM was released in 2012.
Digging into cyrus-sasl's git repo I find a commit which indicates that it's
possible to store pre-hashed SCRAM secrets in authPassword. Is that supported
by OpenLDAP?
Not currently. The last time we discussed it, Kurt mentioned that the
authPassword spec was a dead end and no one had implemented it.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/