Re: password-hashing scheme

[Hallvard B Furuseth <h.b.furuseth@usit.uio.no>]

Vinh.CTR.Hoang@faa.gov writes:
> I'm on solaris 9 with Openldap 2.3.35.  I have the password set as
> "clear" in the ldap.conf

There is no such option in OpenLDAP's ldap.conf.  Maybe you are using
a Solaris client, you'll have to see what that keyword means there.

However...

> and password-hash as {MD5} in slapd.conf.

This is not related to authentication.  See man slapd.conf: it means
that when you modify the password with the Password Modify extended
operation (e.g. OpenLDAP client ldappasswd) then slapd will hash the new
password and store it as "{MD5}<md5-hash>".

> Am I safe to assume that with these settings, it means that the client
> will be sent the passwords over the server as clear text and the
> server will hash it to MD5 before checking against its stored password
> list? If it is not the case, then how should I configure the client
> and server to be the case?

The LDAP Simple Bind operation always send the password in the clear.
The server checks it against the user's userPassword attribute.  That
attribute includes a "{hash algorithm}" prefix if it is hashed, so slapd
can know how to compare.

If you've just taken MD5 hashes and stuffed them into OpenLDAP without
an {MD5} prefix, that won't work.  Also there are actually several kinds
of MD5 hashes out there - e.g. a Unix crypt extension supports hashes
which look something like "$1$...$....".  In our server we store those
with a "{CRYPT}" prefix since it is crypt() which handles that (on
Linux).  Then there are salted and unsalted MD5s - if you have salted,
you should use "{SMD5}", not "{MD5}".

-- 
Hallvard