[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: When/why use slappasswd or any password digests



At 08:05 AM 3/24/2004, Thomas Gagné wrote:
>I'm trying to understand the role encrypted passwords play in OpenLDAP.

They play a similar role in OpenLDAP Software as digested passwords
play in Unix (or other operating system) account login processes.
If the storage mechanism is cracked, the value is not directly
usable for authentication.

Note that use of digested password storage mechanisms are
not standardized.  While there is some convergence between
various vendors, there is also ample divergence.  Technically,
userPassword is suppose to be the user's password, in clear text.

>I thought they were an alternative way to exchange passwords.

No.

>Instead of sending them in the clear during ldap_bind_s() I thought I could supply one of the HASHs--but this doesn't seem to work.

Yes.  We want to confirm the user knows the password.  Having
the user (or the client on the users behalf, not the servers)
produce a hash does nothing to confirm the user actually knows
the password.  If hashes were exchanged, then a rough client
could easily just sniff the hashes and use them directly to
gain access.  Hence, they add no value to the exchange.

The exchange should be protected by other means, such as TLS
(e.g., -ZZ or ldaps://).  Or non-cleartext password mechanisms
should be used, such as SASL/DIGEST-MD5.

>Are the digests something used strictly for storing the passwords?

Yes.

>Is there any way/reason to use the digests?

Password digests are generally used for security reasons
(to mitigate damage caused if the store is cracked).

There are reasons not to use such digests, such as they cannot
be used in supporting SASL/DIGEST-MD5, LDAP's mandatory-to-
implement strong authentication mechanism.  That is, if
userPassword holds the actual password, slapd(8) is capable
of using it for DIGEST-MD5 authentication.

Note to Tony: since password hashing and associated storage
mechanisms may be server specific, and OpenLDAP Software
mechanisms are certainly somewhat server specific, I think
this thread is reasonably on-topic.  Certainly aspects of
my answer are OpenLDAP Software specific.

Kurt