[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: password exop and encrypted passwords

To: openldap-software@OpenLDAP.org
Subject: Re: password exop and encrypted passwords
From: Oliver Egginger <Oliver.Egginger@mni.fh-giessen.de>
Date: Thu, 21 Jun 2001 18:24:17 +0000
In-reply-to: <5.1.0.14.0.20010621082100.030534b0@127.0.0.1>
Organization: Fachhochschule Giessen
References: <3B31F931.AB9B9288@int-evry.fr> <5.1.0.14.0.20010621082100.030534b0@127.0.0.1>

Your discussion is interesting to me.

I am using openLDAP 2.0.7 with only "--enable-phonetic" set on.
When I view
/usr/loval/var/openldap-ldbm/id2entry.dbb
I can see that the passwords are enciphers.

When I execute a ldapsearch I see the passwords in
cleartext.

I remember that the first time I had experienced with passwords,
I see them enciphers when I was doing a ldapsearch.
But now I am unable to reconstruct this.

In the moment I have the situation I have described above.

The Server can decrypted the passwords.
(enciphers in "d2entry.dbb"; cleartext as result from a ldapsearch)
>From this it follows that they aren't enciphers by a one-way-hash like cypher.
Right?

I wanna to have them stored enciphers by a nonreturnable hash-function.
On no account they should be seen in cleartext by a ldapsearch.

Is "password exop" a new configure-option ?
Can I solve my problem with it ?
Do I need to update my LDAP-Server to version 2.0.11 ?

Message from  thursday 21 June 2001 15:23:
> At 07:50 AM 6/21/2001, Steve Schultze wrote:
> >I'd like to use the new password exop, but I'd also like to store my
> >passwords encrypted.  I'm using PADL's pam_ldap and when I change my
> >passwords using the password exop, they are stored in plaintext.
>
> password exop only stores hashed passwords.  If what you get
> is plaintext, then you're not using password exop.
>
> >I'd like
> >them to be stored encrypted.
> >
> >My question is this:  where is the task of encrypting the new password?
> >Should pam_ldap encrypt the new password before doing the exop (which I
> >*think* would work, correct me if I'm wrong), or should the LDAP server
> >encrypt it (which is how I understand iPlanet's server does it)?
>
> Password exop allows the client to provide a clear text value to
> which the servers stores as it pleases.  The OpenLDAP server
> pleases to use hashed passwords (RFC 2307 style).
>
> Kurt

-- 
Oliver Egginger
FH Giessen-Friedberg
DV-Zentrum
Wiesenstrasse 14
35390 Giessen
Tel. +49 641 309-1283
Fax  +49 641 309-2908
Mail: Oliver.Egginger@mni.fh-giessen.de

Follow-Ups:
- RE: password exop and encrypted passwords
  - From: "Doug Douglass" <ddouglass@denverdata.com>

References:
- alias
  - From: Jehan PROCACCIA <jehan.procaccia@int-evry.fr>
- Re: password exop and encrypted passwords
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: password exop and encrypted passwords
Next by Date: Re: access control help
Index(es):
- Chronological
- Thread