On 13/10/11 10:14 +0200, Michael Ströder wrote:
HI!
I'd like to do some interop testing using SCRAM-SHA-1. But I don't know how to
set the userPassword value in OpenLDAP for that. I guess I have to write my
own tool...
Did anybody here already play with it?
libsasl2's SCRAM-SHA-1 implementation apparently uses a shared secret
(clear) password, retrieved from 'userPassword', like it does with
DIGEST-MD5:
~# cat > /usr/lib/sasl2/saslpasswd.conf << EOF
auxprop_plugin: ldapdb
ldapdb_uri: ldapi:///
ldapdb_mech: EXTERNAL
EOF
~# saslpasswd2 [email protected]
Password: test1234
Again (for verification): test1234
~# ldapsearch -LLL -H ldapi:/// -b dc=example,dc=org
"[email protected]"
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: [email protected],ou=people,dc=example,dc=org
uid: [email protected]
uidNumber: 1371123675
gidNumber: 1260883194
homeDirectory: /home/[email protected]
loginShell: /bin/bash
shadowMin: 0
shadowMax: 999999
shadowWarning: 7
shadowExpire: -1
gecos: [email protected]
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: [email protected]
userPassword:: dGVzdDEyMzQ=
# ldapsearch -LLL -x -H ldapi:/// -s "base" -b "" supportedSASLMechanisms
dn:
supportedSASLMechanisms: SCRAM-SHA-1
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: NTLM
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: LOGIN
~# ldapwhoami -Y SCRAM-SHA-1 -H ldapi:/// -U [email protected]
SASL/SCRAM-SHA-1 authentication started
Please enter your password: test1234
SASL username: [email protected]
SASL SSF: 0
dn:[email protected],ou=people,dc=example,dc=org
--
Dan White
