Description of feature:
When using authentication = "ldap" with ldap_mode = "bind" on Prosody 13.0.3, an increasing number of clients complain about security, as the user password is passed on to the LDAP server.
Example from Monal:
>Your server announced channel-binding types but did not offer any SCRAM-PLUS methods. This is likely an ongoing man-in-the-middle attack (but could also be a server misconfiguration), disabling account!
I am no authentication expert, but is it technically possible to implement SCRAM without having to store plain text passwords on the LDAP server?
Motivation: This error message is a major hinderance for XMPP adoption by non-technical users.
Zash
on
There are two paths.
In the 'bind' mode, LuaLDAP would need support for SASL, and then the LDAP server would need to implement SCRAM.
Alternatively, a variant of the 'getpasswd' mode, where you store credentials in LDAP in SCRAM form instead of plain passwords. See RFC 5803.
Description of feature: When using authentication = "ldap" with ldap_mode = "bind" on Prosody 13.0.3, an increasing number of clients complain about security, as the user password is passed on to the LDAP server. Example from Monal: >Your server announced channel-binding types but did not offer any SCRAM-PLUS methods. This is likely an ongoing man-in-the-middle attack (but could also be a server misconfiguration), disabling account! I am no authentication expert, but is it technically possible to implement SCRAM without having to store plain text passwords on the LDAP server? Motivation: This error message is a major hinderance for XMPP adoption by non-technical users.
There are two paths. In the 'bind' mode, LuaLDAP would need support for SASL, and then the LDAP server would need to implement SCRAM. Alternatively, a variant of the 'getpasswd' mode, where you store credentials in LDAP in SCRAM form instead of plain passwords. See RFC 5803.
ChangesType-DefectHiddenSecurityPriority-HighPriority-Medium Type-Enhancement