Howard Chu wrote:
Michael Ströder wrote:
> Howard Chu wrote:
>> Michael Ströder wrote:
>>> 4. In case of SASL mechanisms which require 'userPassword' value(s)
>>> you would have to implement a reversible encryption password storage
>>> schema in
>>> an OpenLDAP overlay and adapt some other layer/components to correctly use
>> The SASL SCRAM mechanism works without a plaintext userPassword.
> Yes, but AFAIK not the current cyrus-sasl implementation.
Hm, Cyrus-SASL 2.1.26 with SCRAM was released in 2012.
> Not to speak of lack of support by client implementations...
Any client that uses the Cyrus-SASL libraries should have support without any
Hmm, some extra effort is needed in clients, especially when they have a UI or
complex configuration. At a minimum you have to register a new SASL mech as
being a password-based mech.
You might have guessed: I've added SCRAM support to web2ldap right after SCRAM
support appeared in cyrus-sasl release.
They may need tweaks to support channel binding, but the basic
authentication mech works.
Yes, but how many clients provide the input form or configuration for choosing