Hello,
I need some help about enabling digest-md5 authentication on my Primary domain controller.
When i run the following command:
root@nethserver:~# ldapsearch -x -p 389 -LLL -h localhost -b “” -s base “(objectclass=*)” supportedSASLMechanisms
I get the following result:
supportedSASLMechanisms: GSSAPI
How do enable digest-md5 authentication?
Maybe I’m wrong, but challenge-response authentication mechanisms, such as md5 would require storing clear text passwords. We decided to store only encrypted passwords in OpenLDAP, so we have no way for them, sorry.
BTW on ns6-based PDCs we have also the old NTLM hashes for Samba.
Can I ask why do you need md5? What is your goal?
I have a debian based appliance that was acquired from Avid, (nexis E4), wich is compatible with ldap for authentication. The problem is, my domain accounts can’t authenticate on our Neth Server from this appliance and Avid support is asking me to try enabling digest-md5.
I have no idea where to look in this appliance for a way to change their authentication method. If i could change this, my problem might be resolved.
Sounds like a big limitation… Isn’t there any alternative?
Not that i know of. At least for now.
I’m reading openldap manual and it says:
“The DIGEST-MD5 mechanism is the mandatory-to-implement authentication mechanism for LDAPv3. Though DIGEST-MD5 is not a strong authentication mechanism in comparison with trusted third party authentication systems (such as Kerberos or public key systems), it does offer significant protections against a number of attacks. Unlike the CRAM-MD5 mechanism, it prevents chosen plaintext attacks. DIGEST-MD5 is favored over the use of plaintext password mechanisms. The CRAM-MD5 mechanism is deprecated in favor of DIGEST-MD5.”
I was hoping that somehow i could setup openldap to support md5.
To clarify, this means that when you build/configured openLdap you decided to remove which authentication mechanism to use and therefore there’s no way for me to change it?
Please correct me if I’m wrong, I’m not a cryptography expert! IIRC it is not possible to use one-way encryption, such as md5 with an encrypted password store. The clear-text password must be available, but this is not the ns6 case.
If I understand correctly, this is confirmed by the OpenLDAP documentation itself:
http://www.openldap.org/doc/admin24/sasl.html#DIGEST-MD5
Moreover, IIRC the default OpenLDAP configuration in CentOS comes with EXTERNAL/Unix socket (ldapi) authentication.
Basically, to use md5 i would have to use NS6, right?
I would like to try it. Currently I’m using NS6.8.
I’m not sure I understand this point… 
Of course try it! Let me know how it goes, but you’re warned: you must change a lot of things from the ns6 configuration…
You talked about NS6, so I assumed that you were talking about NethServer 6. I’m using NethServer 6.8 and out of box it does not have digest-md5 has i said in the first post.
I have no idea how to change things to make it work!
I was hoping for some help on how I enable sasl digest md5.
I’m starting to believe that digest md5 is no longer supported but i would like to find some “oficial” article that talks about that so I could be sure and move on to some other solution for my problem.
according to this document (page 63)
http://resources.avid.com/SupportFiles/attach/AvidNEXIS/Avid_NEXIS_Administration_Guide_v6.pdf
Avid NEXIS currently supports only Microsoft Active Directory, and might not be compatible with other LDAP implementations.
at this point, you’d switch to NS7… hacking your server is not a good idea
HTH
So…
I had the opportunity to test another server - Zentyal 2.3, which is an old version and it supports digest-md5. With this server I was able to successfully authenticate with our Avid appliance.
This makes me think that digest-md5 has been discontinued in many distributions like yours. I just want someone to confirm this.
… in meanwhile I’ve asked Avid support for help and I’m hoping that they can change their appliance in order to use another authentication mechanism.
I don’t have a clue about this, but think what follows may be of use.
RFC 4513: LDAP Authentication Methods and Security Mechanisms (year 2006)
The name/password authentication mechanism (…) protected by TLS replaces the SASL DIGEST-MD5 mechanism as LDAP’s mandatory-to-implement password-based authentication mechanism. Implementations are encouraged to continue supporting SASL DIGEST-MD5
RFC 4513: LDAP Authentication Methods and Security Mechanisms (year 2006)
As the SASL-DIGEST-MD5 mechanism is no longer mandatory to implement, this section is now historical
RFC 6331: Moving DIGEST-MD5 to Historic (year 2011)
This memo describes problems with the DIGEST-MD5 Simple Authentication and Security Layer (SASL) mechanism as specified in RFC 2831. It marks DIGEST-MD5 as OBSOLETE in the IANA Registry of SASL mechanisms and moves RFC 2831 to Historic status.
@dnutan, thank you for this document.
This documents supports what I’ve talked to Avid support. Digest-MD5 is deprecated. I asked them for the possibility of the use of another authentication mechanism, like GSSAPI.
I’m hoping they are willing to do this.
Anyway, I appreciate the help I’ve got here!!