On 13/07/15 11:37, Daniel Pocock wrote: > > > On 13/07/15 11:03, Michael Ströder wrote: >> Daniel Pocock wrote: >>> There are a few protocols that use a HA1[1] password hash, such as HTTP >>> DIGEST[1], SIP DIGEST[2] and TURN[3] (which uses HMAC rather than DIGEST) >>> >>> Is there a standard LDAP attribute name for storing a HA1 value or >>> should it be stored in a regular userPassword attribute as described in >>> the manual[4]? >> >> Do you want to use the LDAP server only as dumb password store or do you also >> want to use this attribute for LDAP bind operation? >> > > Good question > > For the DIGEST and HMAC algorithms, the most interesting possibility > would be for OpenLDAP to perform validation: > > 1. HTTP server (or SIP proxy or whatever) creates a challenge header and > sends it to the end user > 2. User responds with an authorization token > 3. HTTP server gives a copy of the challenge and the response to the > OpenLDAP server > 4. OpenLDAP gives a validation true/false response > > In this case, clients can't read the HA1 from LDAP > > Could that be done with a bind? Does it have any performance impact > doing a bind or is there a more lightweight way to achieve this? > > There is already a similar solution for RADIUS, rlm_digest > http://freeradius.org/radiusd/man/rlm_digest.txt >
I'm just wondering if anybody can give any more feedback about this issue before I look at coding anything for it?
