Re: OpenLDAP, Kerberos not Compatible with DIGEST-MD5?

[Howard Chu <hyc@symas.com>]

Jorge Diaz wrote:
> Hi Everyone!
>   Thanks to Kurt D. Zeilenga for the help previosly. I have now other question about storing passwords.
>   
>   I Have Kerberos 5 (Heimdal), and i could use GSSAPI and Simple Bind  specifiying {SASL}user@realm and configuring saslauthd. So far... so  good!
>   
>   But i nedd DIGEST-MD5 to be LDAPv3 Fully Compatible! (I need Plain Text  Passwords!) It is not a security problem? How could i enable DIGEST-MD5  and KERBEROS.... how i synchonized them? 
>   (Kerberos doesnt store plain text passwords and DIGEST-MD5 needs plain text)..... How to solve this dilema?
>   

There is only one easy way to solve this problem: migrate the Heimdal 
KDC database into OpenLDAP slapd, so that the Kerberos keys are stored 
in each users' entry. Also load the smbk5pwd module (from 
contrib/slapd-modules). Then configure slapd's passwd-hash with both 
{KRB5KEY} and {CLEARTEXT} so that the plaintext and the Kerberos key are 
maintained.

This also means you must use the Cyrus auxprop mechanism, not saslauthd. 
(Which is a good idea anyway, the auxprop mechanism is the most efficient.)
>    
>   Another question... 
>   
>   How to implement DIGEST-MD5 without using sasldb backend? How to store  directly passwords on LDAP userPassword attribute and implement  DIGEST-MD5?
>   
slapd will automatically search the user's LDAP entry for the 
userPassword and use it for SASL authentication, if you use the default 
settings (i.e., use auxprop, not saslauthd). For all other SASL-enabled 
servers you'll need the ldapdb module, which used to be in OpenLDAP 
contrib but is now part of Cyrus SASL.

--
 -- Howard Chu
 Chief Architect, Symas Corp.  http://www.symas.com
 Director, Highland Sun        http://highlandsun.com/hyc
 OpenLDAP Core Team            http://www.openldap.org/project/