Re: SASL hashing schemes

On 12/08/14 20:41 +0100, Dieter Klünter wrote: >Hi, >RFC 5802 describe a Salted Challenge Response >Authentication Mechanism and RFC 5803 describes a schema for storing >salted challenge response mechanism secrets, which recommend a >authPassword attribute type and a salted hash and a hashing scheme as >attribute value. >It seems, that OpenLDAP doesn't know authPassword > >ldapmodify -Y EXTERNAL -H ldapi:/// >SASL/EXTERNAL authentication started >SASL username: >gidNumber=100+uidNumber=1000,cn=peercred,cn=external,cn=auth SASL SSF: 0 >dn: cn=dieter kluenter,ou=partner,o=avci,c=de >changetype: modify >add: authPassword >authPassword: xxxxxxx > >modifying entry "cn=dieter kluenter,ou=partner,o=avci,c=de" >ldap_modify: Undefined attribute type (17) > additional info: authPassword: attribute type undefined > >Although the SASL Mechanism is provided and known, but the attribute >userPassword maintains a plaintext value. > >ldapwhoami -Y SCRAM-SHA-1 -U dieter -w xxxx-H ldapi:/// >SASL/SCRAM-SHA-1 authentication started >SASL username: dieter >SASL SSF: 0 >dn:cn=dieter kluenter,ou=partner,o=avci,c=de > >It seems that SASl authentication only supports scram Mechanisms as >plaintext value. >Is there any intention to fully implement RFC 5802 and RFC 5803? You could adapt this: https://github.com/bindle/canned-openldap/blob/master/schema-custom/cmusa...