[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: userPassword hash



On Fri, 22 Nov 2002, Raphaël Berghmans wrote:

> Hello,
> 
> My slapd.conf is configured with the option password-hash {crypt}. When
> I change a userPassword with ldappasswd, the value of the userPassword
> attribute is correctly crypted. But when I use PHP interface, I change
> the password with the generic php method : ldap_modify(), I've to crypt
> the password with a PHP method before sent the modification to the LDAP
> server. Why ? 
> 
> I thought then LDAP crypt itself the userPassword value if this value is
> not crypted.
> 
> Any explanations ?

My understanding is this:

{crypt} means crypted locally by the client machine, _not_by the LDAP server.
I.e. you setup your local machine to use MD5 passwords, then you
use '{crypt}' prefix to store the passwords in the LDAP DB. 

Otherwise you could use plain passwords on the client, use the password
'extended operations' and then OpenLDAP will encrypt the passwords itself
according to the 'password-hash' given in slapd.conf.

I don't know about php but I suspect the 'generic' method doesn't
know about OpenLDAP extended operations so it ends up as plain.

Cheers,
-- 
Ryurick M. Hristev mailto:ryurick.hristev@canterbury.ac.nz
Computer Systems Manager
University of Canterbury, Physics & Astronomy Dept., New Zealand