Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RFC6331: Moving DIGEST-MD5 to Historic #143

Open
Neustradamus opened this issue Jan 9, 2022 · 6 comments
Open

RFC6331: Moving DIGEST-MD5 to Historic #143

Neustradamus opened this issue Jan 9, 2022 · 6 comments
Labels
enhancement New feature or request

Comments

@Neustradamus
Copy link

Neustradamus commented Jan 9, 2022
edited
Loading

Dear @flamencist,

In first, I wish you a Happy New Year!

20 November 2008: CRAM-MD5 to Historic:

29 June 2017: CRAM-MD5 to Historic:

July 2011: RFC6331: Moving DIGEST-MD5 to Historic:

August 2021: RFC9051: Internet Message Access Protocol (IMAP) - Version 4rev2:
"Replaced DIGEST-MD5 SASL mechanism with SCRAM-SHA-256. DIGEST-MD5 was deprecated."

I add same about SCRAM-MD5.

There are now:

  • July 2010: RFC5802: Salted Challenge Response Authentication Mechanism (SCRAM): SASL and GSS-API Mechanisms: https://tools.ietf.org/html/rfc5802 (SCRAM-SHA-1 and SCRAM-SHA-1-PLUS)
  • July 2010: RFC5803: Lightweight Directory Access Protocol (LDAP) Schema for Storing Salted: Challenge Response Authentication Mechanism (SCRAM) Secrets: https://tools.ietf.org/html/rfc5803
  • November 2015: RFC7677: SCRAM-SHA-256 and SCRAM-SHA-256-PLUS: Simple Authentication and Security Layer (SASL) Mechanisms: https://tools.ietf.org/html/rfc7677

Soon:
@flamencist
Copy link
Owner

Hi! You are welcome! The library is based on openldap native library for unix systems and wldap for windows. Need detailed investigating about supporting scram in these libraries

@Neustradamus
Copy link
Author

@flamencist: Thanks for your quick reply!
It is linked to the request of SCRAM supports, more details here: #142 and there is a link to a list of libs/softs already compatible.

@quanah: Happy New Year, can you do a perfect answer from a member of the OpenLDAP team about SCRAM possibilities because it is not clear in the website which need an update: https://www.google.com/search?q=site%3Aopenldap.org+SCRAM.

It is a little better for Cyrus: https://www.google.com/search?q=site%3Acyrusimap.org+SCRAM.

Thanks in advance.

@Neustradamus
Copy link
Author

Dear @quanah: You have forgotten to reply to @flamencist.

Maybe other members of the @openldap team can reply?

Thanks in advance.

@quanah
Copy link

quanah commented Jan 21, 2022

@Neustradamus OpenLDAP uses cyrus-sasl for SASL mechanisms, not sure that OpenLDAP needs to do anything here.

@flamencist
Copy link
Owner

The library uses SASL interaction via the OpenLDAP native method ldap_sasl_interactive_bind_s https://man7.org/linux/man-pages/man3/ldap_unbind_s.3.html
Looks like the openldap uses directly sasl_client_start fo mechs https://github.com/winlibs/openldap/blob/2615a35b32b3596a1e8f872f0c244bc4a41a047e/libraries/libldap/cyrus.c#L501

Anyway I need some help to set the correct mechanism for new types of auth

@aamelnikov
Copy link

SCRAM is a part of Cyrus SASL, so I think it should just work with ldap_sasl_interactive_bind_s out of the box. I am certainly able to use SCRAM in LDAP using OpenLDAP in the code I write for my employer.

@flamencist flamencist added the enhancement New feature or request label Mar 26, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Neustradamus @aamelnikov @quanah @flamencist