directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel L├ęcharny <>
Subject SearchBaseDN, Kerberos, SASL and password hashing...
Date Mon, 08 Apr 2013 16:30:48 GMT
Hi guys,

currently, there are two parts of the server that requires to know where
the user entry should be read from. We use the searchBaseDN, which is
configured in the ads-searchbasedn in the LDAPserver entry.

So we just have one single place where we tell the server what is the
place in the DIT to look for users.

The pb is that if you activate the Kerberos server, then you have to
activate the hashPassword interceptor that will hash all the
userPassword values, no matter what. This will interfer with the users
that are authenticated using the Simple auth (but we can put them in
some different place if needed), but more important, the SASL authent
using CRAM-MD5 or DIGEST-MD5 are using the same searchBaseDN, except
they *need* the clear text password...

So how can we solve this ? I suggest we use a list of searchBaseDNs in
the hashPassword interceptor configuration, and that it only hashes the
userPassword for the entries stored under those places.

wdyt ? (see too)

Emmanuel L├ęcharny 

View raw message