On 13/10/11 10:14 +0200, Michael Ströder wrote:

HI!

I'd like to do some interop testing using SCRAM-SHA-1. But I don't know how to set the userPassword value in OpenLDAP for that. I guess I have to write my own tool...

Did anybody here already play with it?

libsasl2's SCRAM-SHA-1 implementation apparently uses a shared secret (clear) password, retrieved from 'userPassword', like it does with DIGEST-MD5:

~# cat > /usr/lib/sasl2/saslpasswd.conf << EOF auxprop_plugin: ldapdb ldapdb_uri: ldapi:/// ldapdb_mech: EXTERNAL EOF

~# saslpasswd2 jsmith@example.org Password: test1234 Again (for verification): test1234

~# ldapsearch -LLL -H ldapi:/// -b dc=example,dc=org "uid=jsmith@example.org" SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn: uid=jsmith@example.org,ou=people,dc=example,dc=org uid: jsmith@example.org uidNumber: 1371123675 gidNumber: 1260883194 homeDirectory: /home/jsmith@example.org loginShell: /bin/bash shadowMin: 0 shadowMax: 999999 shadowWarning: 7 shadowExpire: -1 gecos: jsmith@example.org objectClass: account objectClass: posixAccount objectClass: shadowAccount cn: jsmith@example.org userPassword:: dGVzdDEyMzQ=

# ldapsearch -LLL -x -H ldapi:/// -s "base" -b "" supportedSASLMechanisms dn: supportedSASLMechanisms: SCRAM-SHA-1 supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: NTLM supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: PLAIN supportedSASLMechanisms: LOGIN

~# ldapwhoami -Y SCRAM-SHA-1 -H ldapi:/// -U jsmith@example.org SASL/SCRAM-SHA-1 authentication started Please enter your password: test1234 SASL username: jsmith@example.org SASL SSF: 0 dn:uid=jsmith@example.org,ou=people,dc=example,dc=org