On 10/09/10 17:14 +0000, 1.41421@gmail.com wrote:
I would actually need the opposite. That is, the target password may be stored in the LDAP server in the clear, and the client should send not the password, but its Base64-encoded SHA-1 digest. On receiving this the LDAP server ought to compute the SHA-1 digest of the value of the userPassword attribute for the relevant user, Base64-encode it and compare it with the data received from the client in order to carry out the authentication.
How can this be done in OpenLDAP and within the LDAP standards? The goal here is to make sure that the password gets never transferred in the clear. I would agree that this really adds much in the way of security, and that the right way to do it would be to establish a TLS channel between client and server, but that's a different story.
See the OpenLDAP Administrator's Guide, section 14.3 and chapter 15 for a discussion of over-the-wire transmission of passwords.
Also see http://www.cyrusimap.org/docs/cyrus-sasl/2.1.23/components.php and the discussion of shared secret mechanisms.
OpenLDAP implements SASL support to address the scenario you're trying to solve, which requires that you store the plaintext (shared secret) password in your LDAP entry, and make use of strong/SASL binds against the server. In a scenario where you're using such a mechanism (e.g. DIGEST-MD5), your client and the server know the shared secret, but the secret is not transmitted over the wire, even in the absence of SSL/TLS encryption.
Your client software will need to support LDAPv3 and SASL.