[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Crypt Passwords?
>How does one go about creating & storing the encrypted passwords in the
>database?
If you already have crypted passwords (say, from NIS), you can use
migrate_passwd.pl, distributed as part of:
http://www.xedoc.com.au/~lukeh/ldap/MigrationTools.tar.gz
>Also, what tools do people generally use to let their users change their
>own passwords?
The ldappasswd tool that ships with ypldapd supports changing crypt
passwords both with OpenLDAP and Netscape LDAP servers. pam_ldap-12 (just
uploaded to http://www.xedoc.com.au/~lukeh/ldap/pam_ldap.tar.gz) also
supports client-side hash generation.
The difference is that, generally, Netscape prefer to generate the hash on
the server. See an earlier email in this discussion list regarding this.
To enable client side hash generation in pam_ldap, add the following to
/etc/ldap.conf:
pam_crypt local
Now, with Netscape's Directory Server, I thought it was mandatory to send
the password unhashed. It turns out that hashing on the client seems to work
if your server-side hash mechanism is crypt and you're not using the NT
Synchronziation Service (which requires the unhashed password). This
provides a semblance of security when changing passwords, but it would be
better for the password changing program to use SSL/TLS.
-- Luke