Closed Neustradamus closed 4 years ago
@dhawes can our OpenLDAP docker image support this?
I've pushed an image that supports:
SCRAM-SHA-1 SCRAM-SHA-224 SCRAM-SHA-256 SCRAM-SHA-384 SCRAM-SHA-512
by using cyrus-sasl git master [1].
PLUS support will have to wait until Cyrus SASL supports it.
@dhawes: Please look: https://github.com/cyrusimap/cyrus-sasl/commits/master
Thanks a lot to @aamelnikov and @ksmurchison too.
@dhawes: Have you looked for -PLUS variants, already in master?
I see a documentation update, but no commits. Can you reference a commit where this was added?
https://github.com/cyrusimap/cyrus-sasl/issues/552 is still open as well.
@dhawes: It was already done.
If you have problem, please inform.
I have requested to the author (@aamelnikov).
And there was a problem of documentation, and some links are not good yet:
https://github.com/cyrusimap/cyrus-sasl/issues/552 claims that adding -PLUS will take a lot more work. I don't see that work in any commits.
The search you link shows updates to support mech lists. It's unclear if those mechs are actually supported.
I tried the latest master to see if support exists, but I am unable to use any -PLUS variants. Have you attempted to use -PLUS with cyrus-sasl?
Added support for SCRAM in this PR: https://github.com/vt-middleware/ldaptive/pull/160
@dfish3r: Thanks a lot :)
@dfish3r: Little question, what is missing for -PLUS variants?
As @dhawes mentioned, PLUS doesn't appear to be supported yet in cyrus-sasl. Since that is our testing platform we won't proceed with any development until those features are available.
v2 merged into master. Please test these mechanisms when you have a chance.
@dfish3r: Thanks for SCRAM-SHA-1/SCRAM-SHA-256/SCRAM-SHA-512.
Can I create a new ticket for -PLUS variants?
Thanks for SCRAM-SHA-1/SCRAM-SHA-256/SCRAM-SHA-512.
Did you test these?
Can I create a new ticket for -PLUS variants?
Sure.
Not really :/
dfish3r: Why not used BouncyCastle for TLS binding like Tigase?
It will be awhile before I look at the -PLUS implementation. Please make comments on that issue.
@dfish3r: Have you seen the RFC9266?
Linked to:
"When using the SASL SCRAM mechanism, the SCRAM-SHA-256-PLUS variant SHOULD be preferred over the SCRAM-SHA-256 variant, and SHA-256 variants [RFC7677] SHOULD be preferred over SHA-1 variants [RFC5802]".
SCRAM-SHA-1(-PLUS):
SCRAM-SHA-256(-PLUS):
SCRAM-SHA-512(-PLUS):
SCRAM-SHA3-512(-PLUS):
SCRAM BIS: Salted Challenge Response Authentication Mechanism (SCRAM) SASL and GSS-API Mechanisms:
-PLUS variants:
IMAP:
LDAP:
HTTP:
JMAP:
2FA:
IANA:
Linked to: