Re: Confused about password authentication formats

[Dan White <dwhite@olp.net>]

On 10/09/10 17:14 +0000, 1.41421@gmail.com wrote:
> I would actually need the opposite. That is, the target password may 
> be stored in the LDAP server in the clear, and the client should send 
> not the password, but its Base64-encoded SHA-1 digest. On receiving 
> this the LDAP server ought to compute the SHA-1 digest of the value 
> of the userPassword attribute for the relevant user, Base64-encode it 
> and compare it with the data received from the client in order to 
> carry out the authentication.
>
> How can this be done in OpenLDAP and within the LDAP standards? The 
> goal here is to make sure that the password gets never transferred in 
> the clear. I would agree that this really adds much in the way of 
> security, and that the right way to do it would be to establish a TLS 
> channel between client and server, but that's a different story.

See the OpenLDAP Administrator's Guide, section 14.3 and chapter 15 for a
discussion of over-the-wire transmission of passwords.

Also see http://www.cyrusimap.org/docs/cyrus-sasl/2.1.23/components.php
and the discussion of shared secret mechanisms.

OpenLDAP implements SASL support to address the scenario you're trying to
solve, which requires that you store the plaintext (shared secret) password
in your LDAP entry, and make use of strong/SASL binds against the server.
In a scenario where you're using such a mechanism (e.g. DIGEST-MD5), your
client and the server know the shared secret, but the secret is not
transmitted over the wire, even in the absence of SSL/TLS encryption.

Your client software will need to support LDAPv3 and SASL.

--
Dan White