[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: storing HA1 password hash for HTTP DIGEST, SIP, TURN

To: openldap-technical@openldap.org
Subject: Re: storing HA1 password hash for HTTP DIGEST, SIP, TURN
From: Daniel Pocock <daniel@pocock.pro>
Date: Thu, 16 Jul 2015 11:33:26 +0200
Cc: michael@stroeder.com
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=pocock.pro; s=mail; t=1437039209; bh=sTgcIZ88z1+rZ1tybCcbjtITo+W0uiuaYXSZFx9eqC0=; h=Date:From:To:CC:Subject:References:In-Reply-To:From; b=JjtoM+3uRhMll5tg+xgplGw99mQJWIK8MRmAAym+uMCrm0GH/23keiR9zQqhTvv+j 1qApZlhwekBnZ4CgKKxRezXqMyHD5CkcwB3oOVq9UqJZNH8HYB8L1a+gOCSZFTPiae 6QvpAifGCwVG9vyXw+Ny3kfN3x7yyvWciSCn9hIE=
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=pocock.pro; s=mail; t=1437039207; bh=sTgcIZ88z1+rZ1tybCcbjtITo+W0uiuaYXSZFx9eqC0=; h=Date:From:To:CC:Subject:References:In-Reply-To:From; b=Vd6kAzHCLG9OXFvTAWZYx9xuiZoY+glkxVxkCSpxTxzc9cFAhbw81oAKCN3NsgK80 0Y7JVyqvJXoJWtPhjUM9g+EVxbInYtil+s1NIgSX5/f/UmrQlsjzKWOCOFxjaH4c0l ePPPe/PjX8wRSS2zQ24TpXuv9W46eVvEdml5bIkk=
In-reply-to: <55A386C5.5020201@pocock.pro>
References: <55A379AC.90603@pocock.pro> <55A37EFF.6070602@stroeder.com> <55A386C5.5020201@pocock.pro>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Icedove/31.7.0


On 13/07/15 11:37, Daniel Pocock wrote:
> 
> 
> On 13/07/15 11:03, Michael Ströder wrote:
>> Daniel Pocock wrote:
>>> There are a few protocols that use a HA1[1] password hash, such as HTTP
>>> DIGEST[1], SIP DIGEST[2] and TURN[3] (which uses HMAC rather than DIGEST)
>>>
>>> Is there a standard LDAP attribute name for storing a HA1 value or
>>> should it be stored in a regular userPassword attribute as described in
>>> the manual[4]?
>>
>> Do you want to use the LDAP server only as dumb password store or do you also
>> want to use this attribute for LDAP bind operation?
>>
> 
> Good question
> 
> For the DIGEST and HMAC algorithms, the most interesting possibility
> would be for OpenLDAP to perform validation:
> 
> 1. HTTP server (or SIP proxy or whatever) creates a challenge header and
> sends it to the end user
> 2. User responds with an authorization token
> 3. HTTP server gives a copy of the challenge and the response to the
> OpenLDAP server
> 4. OpenLDAP gives a validation true/false response
> 
> In this case, clients can't read the HA1 from LDAP
> 
> Could that be done with a bind?  Does it have any performance impact
> doing a bind or is there a more lightweight way to achieve this?
> 
> There is already a similar solution for RADIUS, rlm_digest
> http://freeradius.org/radiusd/man/rlm_digest.txt
> 

I'm just wondering if anybody can give any more feedback about this
issue before I look at coding anything for it?

Follow-Ups:
- Re: storing HA1 password hash for HTTP DIGEST, SIP, TURN
  - From: Howard Chu <hyc@symas.com>

References:
- storing HA1 password hash for HTTP DIGEST, SIP, TURN
  - From: Daniel Pocock <daniel@pocock.pro>
- Re: storing HA1 password hash for HTTP DIGEST, SIP, TURN
  - From: Michael Ströder <michael@stroeder.com>
- Re: storing HA1 password hash for HTTP DIGEST, SIP, TURN
  - From: Daniel Pocock <daniel@pocock.pro>

Prev by Date: Re: How to import user certificates in OpenLDAP?
Next by Date: Re: storing HA1 password hash for HTTP DIGEST, SIP, TURN
Index(es):
- Chronological
- Thread