On Tue, Mar 15, 2005 at 03:33:35PM +0100, Henrik Nordstrom wrote: > On Tue, 15 Mar 2005, Sergey Shepshelevich wrote: > > >1. squid + digest_pw_auth. In this case we have to use HTTP digest, but at > >the moment > >we are storing users' passwords in openldap directory as _crypted_ > >attribute "userPassword". > >At the same time, to use the digest authorization we have to store > >MD5(username:realm:password), but it's difficult in our environment. > > Difficult in most environments. > > >Storing clear password in openldap directory also is not a case. > > Unfortunately the only approach which is "future safe" wrt introducing new > secure authentication methods without forcing all users to change their > password to have the password hashes recalculated. > > >Does any one know if there is any working schemas utilizing openldap + > >HTTP digest auth? > > I have a digest auth helper querying LDAP for the hash, but as you noted > above this requires either Digest MD5 hashes or plain text passwords in > the directory.. Do you store MD5(username:realm:password) in ldap directory ? There are problem with passwords ... If using MD5(username:realm:password) as userPassword other programs can't work. Is it possible use 'sasl2 + squid + openldap' and one attibute 'userPassword' contains MD5(username:realm:password) ? I read 'Using Digest Authentication as a SASL Mechanism' http://www.faqs.org/rfcs/rfc2831.html //3.10 Storing passwords //Digest authentication requires that the authenticating agent (usually //the server) store some data derived from the user's name and password //in a "password file" associated with a given realm. Normally this //might contain pairs consisting of username and H({ username-value, // ":", realm-value, ":", passwd }), which is adequate to compute H(A1) //as described above without directly exposing the user's password. and can't say may be becouse inteface's digest helper and squid is not clearly for me. Thanks, -- Sergey Shepshelevich Ulyanovsk State Technical University NOC, System administrator
