alternative login names

Charles Bradshaw brad at bradcan.homelinux.com
Mon Feb 4 15:43:25 EST 2013


Gentelman

Sorry to but into this thread at so late a stage. Indeed SASL does not support
encrypted pass words because it can't!

SASL CRAM-MD5 and DIGEST-MD5 do not transmit the pass word over the link, as a
consequence both the client and the server need knowledge of the clear text.

It is possible to store encrypted passwords in some kind of database provided
that the lookup mechanism is capable doing the de-crypt. Mysql AES is one
possibility.

Both MD5 and SHA are a one way hashing functions! Pass word verification
against either requires knowledge of the clear text!

Charles Bradshaw

On: Mon, 4 Feb 2013 18:44:48 +0100, Marc Paterman wrote:

> Wolfgang
> 
> Wolfgang Rosenauer schrieb (04.02.2013 18:03 Uhr):
> 
> > I played around some more with openldap's SASL and ran exactly into the 
> > issue that SASL seems to explicitely _not_ support CRYPT userPasswords.
> > So yes, keeping saslauthd using PAM would help with that.
> What did you test? (I did not do it myself.)
> Like an ldapsearch with "-Y cram-md5" or "-Y plain" both do not work 
> against an object where userPassword is encrypted with CRYPT?
> And both do work while it is encrypted with like SHA or unencrypted?
> 
> Marc


More information about the Info-cyrus mailing list