Closed f1-outsourcing closed 1 year ago
If you're talking about LDAP's internal hashing mechanisms for passwords, that has zero to do with SASL. OpenLDAP itself supports a number of modern hashing algorithms beyond SSHA. You didn't specify what LDAP server you're using, I suggest reading its documentation for how to choose what hashing mechanisms to use for passwords.
Dear @openldap team, @quanah: It is not clear in OpenLDAP for SCRAM:
It is possible to add more informations?
cc: @mhardin42, @martyheyman, @hyc, @shawnmckinney, @jklowden, @mistotebe, @nivanova-symas, @rtandy, ...
Dear @openldap team, @quanah: It is not clear in OpenLDAP for SCRAM:
If you have questions about OpenLDAP then you should be using the OpenLDAP project resources, such as the openldap-technical emailing list, not pinging people here.
Also SCRAM has zero to do with how userPasswords are hashed in openldap
If you're talking about LDAP's internal hashing mechanisms for passwords, that has zero to do with SASL. OpenLDAP itself supports a number of modern hashing algorithms beyond SSHA. You didn't specify what LDAP server you're using, I suggest reading its documentation for how to choose what hashing mechanisms to use for passwords.
It is just my lack of knowledge and this file being there. When I read it, I got the impression that sasl supported just a subset of the openldap hashes.
That part of the doc specifically talks about a "custom" auth method where saslauthd reads the userPassword attribute and checks it itself. https://github.com/cyrusimap/cyrus-sasl/blob/master/saslauthd/LDAP_SASLAUTHD#L95
So it has nothing to do with OpenLDAP's password hashing methods. But obviously it's a dumb idea to use this method, and better to just let OpenLDAP take care of password hashing.
On this page[1] is written "Supported hashes: crypt, md5, smd5, sha and ssha."
I am still having an older ldap with ssha, but was thinking after upgrading to use a different hash for passwords. I think I read something that it is quite easy to crack the plain ssha. Does your ssha include the 256 and 512 versions? Maybe nice to mention on this page.
[1] https://github.com/cyrusimap/cyrus-sasl/blob/master/saslauthd/LDAP_SASLAUTHD