Mailing List Message #92270
From: Thom O'Connor <>
Subject: Re: SASL authentication with external LDAP - for SIP/XMPP/Pronto
Date: Fri, 17 Aug 2007 22:00:54 -0700
To: <>
From:   "Sambedi Fahted"
> Is there a reasoning behind why SIP, XMPP, XIMSS, etc require plain text passwords via SASL+ external (LDAP)auth?

SIP & XMPP must provide secure authentication mechanisms - this is part
of these RFC-defined protocols. This was implemented specifically to
prevent plain text passwords being passed across untrusted networks
(i.e., the Internet).

SIP uses "HTTP Digest" authentication:
> 26.2.3 HTTP Authentication
>    SIP provides a challenge capability, based on HTTP authentication,
>    that relies on the 401 and 407 response codes as well as header
>    fields for carrying challenges and credentials.  Without significant
>    modification, the reuse of the HTTP Digest authentication scheme in
>    SIP allows for replay protection and one-way authentication.

> 14.7.  Mandatory-to-Implement Technologies
>    At a minimum, all implementations MUST support the following
>    mechanisms:
>    for authentication: the SASL [DIGEST-MD5] mechanism

SASL challenge/response authentication mechanisms (CRAM-MD5, DIGEST-MD5,
HTTP Digest, NTLM) can only work if both the client and server have
access to a "shared secret". That shared secret is the plain text
password. If the server only stores the hashed password (CRYPT, SHA,
SSHA, MD5, etc.) then these mechanisms cannot be used.

XIMSS supports both challenge/response and plain text authentication
mechanisms. To allow plain text login via Pronto, I believe you need to
disable the CRAM-MD5 "Login Method" for those domains [Users->Domain
Defaults] or [Users->Domains->(Select Domain)->Domain Settings]. Doing
this disables SSL in Pronto however, if I remember correctly.

So, to put it (overly) simply - it comes down to a basic choice:
 * More secure on disk, less secure on the wire (PLAIN, LOGIN)
 * Less secure on disk, more secure on the wire (CRAM-MD5, DIGEST-MD5,
HTTP Digest, NTLM)

As the wire (the net) is generally a far more nefarious place, we would
recommend SASL challenge/response authentication is used.

<skipping discussion of Kerberos/GSSAPI and SSL/TLS>

Hope this helps, have a good weekend,

P.S. SASL/external LDAP script and more info available here:
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster