Re: SCRAM-SHA-1

[Dan White <dwhite@olp.net>]

On 13/10/11 10:14 +0200, Michael Ströder wrote:
> HI!
>
> I'd like to do some interop testing using SCRAM-SHA-1. But I don't know how to
> set the userPassword value in OpenLDAP for that. I guess I have to write my
> own tool...
>
> Did anybody here already play with it?

libsasl2's SCRAM-SHA-1 implementation apparently uses a shared secret
(clear) password, retrieved from 'userPassword', like it does with
DIGEST-MD5:

~# cat > /usr/lib/sasl2/saslpasswd.conf << EOF
auxprop_plugin: ldapdb
ldapdb_uri: ldapi:///
ldapdb_mech: EXTERNAL
EOF

~# saslpasswd2 jsmith@example.org
Password: test1234
Again (for verification): test1234


~# ldapsearch -LLL -H ldapi:/// -b dc=example,dc=org
"uid=jsmith@example.org"
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: uid=jsmith@example.org,ou=people,dc=example,dc=org
uid: jsmith@example.org
uidNumber: 1371123675
gidNumber: 1260883194
homeDirectory: /home/jsmith@example.org
loginShell: /bin/bash
shadowMin: 0
shadowMax: 999999
shadowWarning: 7
shadowExpire: -1
gecos: jsmith@example.org
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: jsmith@example.org
userPassword:: dGVzdDEyMzQ=

# ldapsearch -LLL -x -H ldapi:/// -s "base" -b "" supportedSASLMechanisms
dn:
supportedSASLMechanisms: SCRAM-SHA-1
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: NTLM
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: LOGIN

~# ldapwhoami -Y SCRAM-SHA-1 -H ldapi:/// -U jsmith@example.org
SASL/SCRAM-SHA-1 authentication started
Please enter your password: test1234
SASL username: jsmith@example.org
SASL SSF: 0
dn:uid=jsmith@example.org,ou=people,dc=example,dc=org

--
Dan White