On 12/08/14 20:41 +0100, Dieter Klünter wrote:
Hi, RFC 5802 describe a Salted Challenge Response Authentication Mechanism and RFC 5803 describes a schema for storing salted challenge response mechanism secrets, which recommend a authPassword attribute type and a salted hash and a hashing scheme as attribute value. It seems, that OpenLDAP doesn't know authPassword
ldapmodify -Y EXTERNAL -H ldapi:/// SASL/EXTERNAL authentication started SASL username: gidNumber=100+uidNumber=1000,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn: cn=dieter kluenter,ou=partner,o=avci,c=de changetype: modify add: authPassword authPassword: xxxxxxx
modifying entry "cn=dieter kluenter,ou=partner,o=avci,c=de" ldap_modify: Undefined attribute type (17) additional info: authPassword: attribute type undefined
Although the SASL Mechanism is provided and known, but the attribute userPassword maintains a plaintext value.
ldapwhoami -Y SCRAM-SHA-1 -U dieter -w xxxx-H ldapi:/// SASL/SCRAM-SHA-1 authentication started SASL username: dieter SASL SSF: 0 dn:cn=dieter kluenter,ou=partner,o=avci,c=de
It seems that SASl authentication only supports scram Mechanisms as plaintext value. Is there any intention to fully implement RFC 5802 and RFC 5803?
You could adapt this:
https://github.com/bindle/canned-openldap/blob/master/schema-custom/cmusasl....