[Date Prev][Date Next] [Chronological] [Thread] [Top]

The scoop on {crypt} passwords

To: openldap-software@OpenLDAP.org
Subject: The scoop on {crypt} passwords
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Tue, 22 Feb 2000 06:52:21 -0800
In-reply-to: <200002221226.XAA58267@au.padl.com>

The {crypt}string works for any string which is a valid
crypt(3) password on the host running slapd.  Crypt(3)
is not standardized.  On some systems it may be DES
based, on others MD5 based, on others who knowns.
Slapd doesn't really care.  It just calls crypt(3)
on the asserted value using the stored value as the
salt and then compares the result to the stored value.

Because crypt(3) differs from host to host, userPassword
generated on one system may not work on another.  For
example, if your management client only supports
Blowfish crypt passwords and slapd only supports DES
based crypt passwords, the generated {crypt} passwords
are not useable.

Crypt passwords are best used during migration to
true SHA1 or MD5 schemes (preferably seeded varieties)
because these schemes are well defined and reasonable
protected against attack.

Note that some crypt(3) implementations use MD5 (or
SHA1).  If the crypt(3) implementation uses MD5,
it might be possible to convert the password(5) to
a form suitable for storing in userPassword using
the {MD5} or {SMD5} scheme.  This, in general,
requires some translation as the password(5) encoding
used is generally not the same as the userPassword
encoding.

	Kurt

References:
- Re: migrating MD5 shadowed passwords
  - From: Luke Howard <lukeh@PADL.COM>

Prev by Date: RE: migrating MD5 shadowed passwords
Next by Date: Outlook Express 5.0 and OpenLDAP
Index(es):
- Chronological
- Thread