[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Using Password-hash to create secure passwords..



Will do, thanks!

----- Original Message ----- From: "Rob Tanner" <rtanner@linfield.edu>
To: <fuser9bb@hotpop.com>
Cc: <openldap-software@OpenLDAP.org>
Sent: Friday, January 28, 2005 11:08 AM
Subject: Re: Using Password-hash to create secure passwords..



I asked a similar question a while back and the answer is that it does not do
so by design. Look in the archives for September of 2004 for the entire
thread. The subject was "Passwords don't appear to hash ???".


(This list is archived, isn't it?)

-- Rob

--On Thursday, January 27, 2005 04:14:25 PM -0600 fuser9bb@hotpop.com wrote:

We want to ensure that the userPassword field is secure. Currently, we are
doing this via two methods:


1. All connections must be over SSL.
2. When we create a password we supply it as a hash.

When creating an account entry in LDAP, our LDAP directory management tool
(which only speaks LDAP and does not use any proprietary OpenLDAP tools like
slapadd) creates a hash like so:


{MD5}3kl4jdlkjfdflkdj

We then insert that along with our other entries:

dn: uid=abc,ou=company
objectClass: ...
objectClass: ...
uid=abc
userPassword: {MD5}3kl4jdlkjfdflkdj

Can we use the Password-hash function so that our LDAP management
application can just submit the userPassword in plaintext (communication is
of course over SSL though) so that OpenLDAP will hash it for us?


1. We create an entry in the app.

2. The app sends:

dn: uid=abc,ou=company
modify: add
objectClass: ...
objectClass: ...
uid=abc
userPassword: mypassword

3. slapd gets the new entry and then automatically hashes userPassword into
{MD5}3kl4jdlkjfdflkdj.


4. slapd stores the record, including the now hashed userPassword.

I was playing with ldapadmin and noticed that it allows you to specify one
of several hashing types. If I set Password-hash, can I override this? I
assume I can by just supplying {TYPE}... like so:


userPassword: {MD5}3kl4jdlkjfdflkdj

So will slapd only honor Password-hash if I do plaintext?

userPassword: mypassword





-- Rob Tanner UNIX Services Manager Linfield College, McMinnville OR