[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: bindpw and SSHA

To: openldap-technical@openldap.org, nick.kasparidis@toumaz.com
Subject: Re: bindpw and SSHA
From: Buchan Milne <bgmilne@staff.telkomsa.net>
Date: Fri, 26 Sep 2008 13:42:05 +0200
Content-disposition: inline
In-reply-to: <1222420112.7027.106.camel@jebediah>
References: <1222420112.7027.106.camel@jebediah>
User-agent: KMail/1.10.1 (Linux/2.6.27-desktop-0.rc7.1.1mnb; KDE/4.1.1; x86_64; ; )

On Friday 26 September 2008 11:08:32 Nick Kasparidis wrote:
> Hello everyone,
>
> I have a small problem setting up my ldap client.
>
> The issue comes from trying to force authenticated queries. So I have
> set the following lines in my slapd.conf
>
> disallow        bind_anon
> require         authc
>
> on the client side I have added the following lines to my ldap.conf
>
> binddn cn=manager,dc=domain,dc=com
> bindpw {SSHA}<the hash>
>

A simple bind requires that the client has the *cleartext* password.

What documentation that you read made you believe you could use a hash?

Are you aware of what a hash is? The whole point of a hash is to be a one-way 
test. Allowing the "cleartext" has to be a password equivalent would defeat 
the purpose of the hash.

If you don't want cleartext, you can use a SASL method. But, the SASL methods 
still require a secret to be available on the client side ... (private key, 
Kerberos keytab etc.).

Regards,
Buchan

Follow-Ups:
- Re: bindpw and SSHA
  - From: Nick Kasparidis <nick.kasparidis@toumaz.com>

References:
- bindpw and SSHA
  - From: Nick Kasparidis <nick.kasparidis@toumaz.com>

Prev by Date: bindpw and SSHA
Next by Date: Re: bindpw and SSHA
Index(es):
- Chronological
- Thread