On Tue, Mar 15, 2005 at 03:33:35PM +0100, Henrik Nordstrom wrote:
> On Tue, 15 Mar 2005, Sergey Shepshelevich wrote:
>
> >1. squid + digest_pw_auth. In this case we have to use HTTP digest, but at
> >the moment
> >we are storing users' passwords in openldap directory as _crypted_
> >attribute "userPassword".
> >At the same time, to use the digest authorization we have to store
> >MD5(username:realm:password), but it's difficult in our environment.
>
> Difficult in most environments.
>
> >Storing clear password in openldap directory also is not a case.
>
> Unfortunately the only approach which is "future safe" wrt introducing new
> secure authentication methods without forcing all users to change their
> password to have the password hashes recalculated.
>
> >Does any one know if there is any working schemas utilizing openldap +
> >HTTP digest auth?
>
> I have a digest auth helper querying LDAP for the hash, but as you noted
> above this requires either Digest MD5 hashes or plain text passwords in
> the directory..
Do you store MD5(username:realm:password) in ldap directory ?
There are problem with passwords ...
If using MD5(username:realm:password) as userPassword other programs can't work.
Is it possible use 'sasl2 + squid + openldap' and one attibute 'userPassword'
contains MD5(username:realm:password) ?
I read 'Using Digest Authentication as a SASL Mechanism'
http://www.faqs.org/rfcs/rfc2831.html
//3.10 Storing passwords
//Digest authentication requires that the authenticating agent (usually
//the server) store some data derived from the user's name and password
//in a "password file" associated with a given realm. Normally this
//might contain pairs consisting of username and H({ username-value,
// ":", realm-value, ":", passwd }), which is adequate to compute H(A1)
//as described above without directly exposing the user's password.
and can't say may be becouse inteface's digest helper and squid is not clearly for me.
Thanks,
-- Sergey Shepshelevich Ulyanovsk State Technical University NOC, System administratorReceived on Fri Mar 25 2005 - 11:02:38 MST
This archive was generated by hypermail pre-2.1.9 : Fri Apr 01 2005 - 12:00:02 MST