On 13/07/15 11:03, Michael Ströder wrote: > Daniel Pocock wrote: >> There are a few protocols that use a HA1[1] password hash, such as HTTP >> DIGEST[1], SIP DIGEST[2] and TURN[3] (which uses HMAC rather than DIGEST) >> >> Is there a standard LDAP attribute name for storing a HA1 value or >> should it be stored in a regular userPassword attribute as described in >> the manual[4]? > > Do you want to use the LDAP server only as dumb password store or do you also > want to use this attribute for LDAP bind operation? >
Good question For the DIGEST and HMAC algorithms, the most interesting possibility would be for OpenLDAP to perform validation: 1. HTTP server (or SIP proxy or whatever) creates a challenge header and sends it to the end user 2. User responds with an authorization token 3. HTTP server gives a copy of the challenge and the response to the OpenLDAP server 4. OpenLDAP gives a validation true/false response In this case, clients can't read the HA1 from LDAP Could that be done with a bind? Does it have any performance impact doing a bind or is there a more lightweight way to achieve this? There is already a similar solution for RADIUS, rlm_digest http://freeradius.org/radiusd/man/rlm_digest.txt
