Does the Samba 4 LDAP server support GSS-SPNEGO over SASL

paul paul at subsignal.org
Tue Dec 12 12:57:12 GMT 2006


Henrik Nordstrom schrieb:
> mån 2006-12-11 klockan 11:14 +0100 skrev paul:
> 
>> and how do you tell the client? At least cyrus-sasl needs plaintext on
>> the server side AFAIK.
> 
> The evolution of Cyrus SASL v2 server side is a bit odd and is no longer
> actively supporting pre-hashed password key material only plain-text,
> but the support is still there just hidden a bit.. For Digest-MD5 the
> H(A1) is retrieved from the "*cmusaslsecretDIGEST-MD5" user property if
> the plain-text "userPassword" property is not available.
>From what I read this schema is deprecated and it doesn't solve the
problem. Auxprop plugins don't know anything about mechanisms and the
types of hashes used. So the lowest common denominator is plaintext and
the mechanism generates the hash.
In case of OpenLDAP as backend, even if you write your own auxprop that
asks for mechanism specific hashes, you lose EXOP for password changing
so password generation is back on the client..., no silver bullet I'm
afraid.

cheers
 Paul



More information about the samba-technical mailing list