Gentelman Sorry to but into this thread at so late a stage. Indeed SASL does not support encrypted pass words because it can't! SASL CRAM-MD5 and DIGEST-MD5 do not transmit the pass word over the link, as a consequence both the client and the server need knowledge of the clear text. It is possible to store encrypted passwords in some kind of database provided that the lookup mechanism is capable doing the de-crypt. Mysql AES is one possibility. Both MD5 and SHA are a one way hashing functions! Pass word verification against either requires knowledge of the clear text! Charles Bradshaw On: Mon, 4 Feb 2013 18:44:48 +0100, Marc Paterman wrote: > Wolfgang > > Wolfgang Rosenauer schrieb (04.02.2013 18:03 Uhr): > > > I played around some more with openldap's SASL and ran exactly into the > > issue that SASL seems to explicitely _not_ support CRYPT userPasswords. > > So yes, keeping saslauthd using PAM would help with that. > What did you test? (I did not do it myself.) > Like an ldapsearch with "-Y cram-md5" or "-Y plain" both do not work > against an object where userPassword is encrypted with CRYPT? > And both do work while it is encrypted with like SHA or unencrypted? > > Marc ---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
