[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Kerberos and DIGEST-MD5

To: openldap-software@OpenLDAP.org
Subject: Re: Kerberos and DIGEST-MD5
From: Dieter Kluenter <dieter@dkluenter.de>
Date: Tue, 27 Jul 2004 23:28:11 +0200
In-reply-to: <410647C9.6020009@opentechnet.com> (Jose Gonzalez Gomez's message of "Tue, 27 Jul 2004 14:17:13 +0200")
References: <410647C9.6020009@opentechnet.com>
User-agent: Gnus/5.1002 (Gnus v5.10.2) XEmacs/21.4 (Rational FORTRAN, linux)

Jose Gonzalez Gomez <jgonzalez@opentechnet.com> writes:

[...]
>     So what's the problem? It seems that to build a LDAPv3 compliant
> server I must provide DIGEST-MD5 authentication to the LDAP server,
> and this is what I don't know how to achieve in a clean manner. In
> order to have DIGEST-MD5 working I must have a clear text password
> stored somewhere (correct me if I'm wrong), but it seems that Kerberos
> doesn't have it, or I don't know how to use it in the DIGEST-MD5
> authentication process. It seems that Cyrus SASL *does need* this
> password stored in its sasldb2 database to be able to successfully
> offer DIGEST-MD5, but this would mean that I'd have duplicated
> information and I'd have to sync both databases (Kerberos and SASL)
> whenever a password change occurs. So, am I missing anything here? Is
> there any clean solution for this?

You don't require sasldb2, but you may use attribute userPassword with
value in cleartext. Protection can be achieved by appropriate acl's.

-Dieter

-- 
Dieter Klünter | Systemberatung
Tel.: +49.40.64861967
Fax : +49.40.64891521
http://www.avci.de

References:
- Kerberos and DIGEST-MD5
  - From: Jose Gonzalez Gomez <jgonzalez@opentechnet.com>

Prev by Date: Re: Kerberos and DIGEST-MD5
Next by Date: Re: Kerberos and DIGEST-MD5
Index(es):
- Chronological
- Thread