LDAP schema for Secure Remote Password authentication

Here is a simple LDAP schema for storing Secure Remote Password (SRP-6a) authentication credentials. It defines an object class srp6Account which can be attached to any directory entry to enable SRP-6a authentication for it. The SRP salt and verifier are stored in a text attribute called srp6Verifier.

dn: cn=schema
objectClass: top
objectClass: ldapSubentry
objectClass: subschema
cn: schema
attributeTypes: ( 
 NAME 'srp6Verifier' 
 DESC 'Stores SRP6 salt and verifier, in hex and delimited by semicolon' 
 EQUALITY caseIgnoreMatch 
 ORDERING caseIgnoreOrderingMatch 
 SUBSTR caseIgnoreSubstringsMatch 
 USAGE userApplications )
objectClasses: ( 
 NAME 'srp6account' 
 DESC 'Account with SRP-6a authentication support' 
 SUP top 
 MAY srp6Verifier )

The following format is suitable for storing the Secure Remote Password credentials:

srp6Verifier: [hex-string-salt];[hex-string-verifier]

The salt and the verifier are hex encoded (to save space and avoid ambiguity) , separated by a semicolon.


srp6Verifier: b24c9bc199aafd143a94;10b3a3986ec57075d1a8f83bafc3350f582f6bd08064d3a09b9f5b4cdcf21c6ee

Check out Nimbus SRP if you’re looking for a solid and well documented Secure Remote Password library.