[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: storing HA1 password hash for HTTP DIGEST, SIP, TURN

To: openldap-technical@openldap.org
Subject: Re: storing HA1 password hash for HTTP DIGEST, SIP, TURN
From: Daniel Pocock <daniel@pocock.pro>
Date: Mon, 13 Jul 2015 11:37:09 +0200
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=pocock.pro; s=mail; t=1436780232; bh=iWktDHOktAruypX82/6cgv1VJOz3GFe25yxeTjDPSmU=; h=Date:From:To:Subject:References:In-Reply-To:From; b=UvUVoIZkhDSDOP4SWmwFCKcLjJeufznoWqoG8VZvkVblu99lWr8xVHgaqwQToeBQM xO8xcaGq5BW5tc6IIctRgELaPZI8bRtcRxGq1lrt/XmzRrcKxgfvnDqB+v3s/xGmKZ 61Rq+JQq10sTGT3TOuHlyhw7nHqmREtwFt5xbTYU=
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=pocock.pro; s=mail; t=1436780230; bh=iWktDHOktAruypX82/6cgv1VJOz3GFe25yxeTjDPSmU=; h=Date:From:To:Subject:References:In-Reply-To:From; b=cA1CDOjiixO7Zq9/suZ6zF/c+9WBYCVL7DtgD0hrxWSNf/7yVzewi71s8DLyy+kkX vX2ebkukbDxuWscMsNi+XhIT5VVKWUAm2eawSYvyzTusNxqtZiNqH5AxRipu6WYzcs nr1C+cge07VRyJYpPrnd55tP2Sb7g+XJXHzMBhlc=
In-reply-to: <55A37EFF.6070602@stroeder.com>
References: <55A379AC.90603@pocock.pro> <55A37EFF.6070602@stroeder.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Icedove/31.7.0

On 13/07/15 11:03, Michael Ströder wrote:
> Daniel Pocock wrote:
>> There are a few protocols that use a HA1[1] password hash, such as HTTP
>> DIGEST[1], SIP DIGEST[2] and TURN[3] (which uses HMAC rather than DIGEST)
>>
>> Is there a standard LDAP attribute name for storing a HA1 value or
>> should it be stored in a regular userPassword attribute as described in
>> the manual[4]?
> 
> Do you want to use the LDAP server only as dumb password store or do you also
> want to use this attribute for LDAP bind operation?
> 

Good question

For the DIGEST and HMAC algorithms, the most interesting possibility
would be for OpenLDAP to perform validation:

1. HTTP server (or SIP proxy or whatever) creates a challenge header and
sends it to the end user
2. User responds with an authorization token
3. HTTP server gives a copy of the challenge and the response to the
OpenLDAP server
4. OpenLDAP gives a validation true/false response

In this case, clients can't read the HA1 from LDAP

Could that be done with a bind?  Does it have any performance impact
doing a bind or is there a more lightweight way to achieve this?

There is already a similar solution for RADIUS, rlm_digest
http://freeradius.org/radiusd/man/rlm_digest.txt

Follow-Ups:
- Re: storing HA1 password hash for HTTP DIGEST, SIP, TURN
  - From: Daniel Pocock <daniel@pocock.pro>

References:
- storing HA1 password hash for HTTP DIGEST, SIP, TURN
  - From: Daniel Pocock <daniel@pocock.pro>
- Re: storing HA1 password hash for HTTP DIGEST, SIP, TURN
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: Re: storing HA1 password hash for HTTP DIGEST, SIP, TURN
Next by Date: Re: Columnar databases
Index(es):
- Chronological
- Thread