Mailing List Message #92237
From: Thom O'Connor <>
Subject: RE: SASL authentication with external LDAP - for SIP/XMPP/Pronto
Date: Wed, 15 Aug 2007 13:54:33 -0700
To: <>
From: Bret Miller
> In order to support this properly, two calls would be needed to the external
> auth module:
> SASL-C = give me back something to challenge the user with.
> SASL-R = here is what the user answered.

P.S. It is crucial to recognize that if the LDAP/Directory
implementation described above is doing SASL challenge/response
authentication, then it too *is storing the plain text password*.
CRAM-MD5/DIGEST-MD5/NTLM authentication cannot be accomplished without
it. Even if the password is obfuscated in the database (using a two-way
encryption mechanism), the directory must decrypt the password in order
to perform the CRAM-MD5, DIGEST-MD5, or NTLM calculations.

Therefore, the discussion of on-disk security is still not relevant
here. (On-disk security is important, and can include methods such as
encrypting the database, the filesystem, etc.; however, this discussion
is tangential to our current one). The requirement for having access to
the plain text password is not a CommuniGate Pro thing; it is a SASL
challenge/response requirement.

> The problem is that many implementations don't allow the password
> to be read-- only checked.

This is a separate problem. To my knowledge, there is only one
implementation for which there may not be the ability to read the
password *if it is stored*. And that implementation is Active Directory.
This is not to say that it cannot be done, but just that I'm not aware
of how to do this...yet.

This is an important and complex topic, and we would encourage the
community input on these matters. CommuniGate does very much want to
find a solution for this issue on all implementations and platforms,
including AD.

Thanks Bret.

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster