Hi,
RFC 5802 describe a Salted Challenge Response
Authentication Mechanism and RFC 5803 describes a schema for storing
salted challenge response mechanism secrets, which recommend a
authPassword attribute type and a salted hash and a hashing scheme as
attribute value.
It seems, that OpenLDAP doesn't know authPassword
ldapmodify -Y EXTERNAL -H ldapi:///
SASL/EXTERNAL authentication started
SASL username:
gidNumber=100+uidNumber=1000,cn=peercred,cn=external,cn=auth SASL SSF: 0
dn: cn=dieter kluenter,ou=partner,o=avci,c=de
changetype: modify
add: authPassword
authPassword: xxxxxxx
modifying entry "cn=dieter kluenter,ou=partner,o=avci,c=de"
ldap_modify: Undefined attribute type (17)
additional info: authPassword: attribute type undefined
Although the SASL Mechanism is provided and known, but the attribute
userPassword maintains a plaintext value.
ldapwhoami -Y SCRAM-SHA-1 -U dieter -w xxxx-H ldapi:///
SASL/SCRAM-SHA-1 authentication started
SASL username: dieter
SASL SSF: 0
dn:cn=dieter kluenter,ou=partner,o=avci,c=de
It seems that SASl authentication only supports scram Mechanisms as
plaintext value.
Is there any intention to fully implement RFC 5802 and RFC 5803?
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E