On 13/07/15 11:37, Daniel Pocock wrote:
On 13/07/15 11:03, Michael Ströder wrote:
Daniel Pocock wrote:
There are a few protocols that use a HA1[1] password hash, such as HTTP DIGEST[1], SIP DIGEST[2] and TURN[3] (which uses HMAC rather than DIGEST)
Is there a standard LDAP attribute name for storing a HA1 value or should it be stored in a regular userPassword attribute as described in the manual[4]?
Do you want to use the LDAP server only as dumb password store or do you also want to use this attribute for LDAP bind operation?
Good question
For the DIGEST and HMAC algorithms, the most interesting possibility would be for OpenLDAP to perform validation:
- HTTP server (or SIP proxy or whatever) creates a challenge header and
sends it to the end user 2. User responds with an authorization token 3. HTTP server gives a copy of the challenge and the response to the OpenLDAP server 4. OpenLDAP gives a validation true/false response
In this case, clients can't read the HA1 from LDAP
Could that be done with a bind? Does it have any performance impact doing a bind or is there a more lightweight way to achieve this?
There is already a similar solution for RADIUS, rlm_digest http://freeradius.org/radiusd/man/rlm_digest.txt
I'm just wondering if anybody can give any more feedback about this issue before I look at coding anything for it?