[Date Prev][Date Next] [Chronological] [Thread] [Top]

Can password-hash be database specific? also, storing and verifying cleartext passwords

To: openldap-technical@openldap.org, leach@coas.oregonstate.edu
Subject: Can password-hash be database specific? also, storing and verifying cleartext passwords
From: Tom Leach <leach@coas.oregonstate.edu>
Date: Tue, 22 Jun 2010 08:22:56 -0700
User-agent: Thunderbird 2.0.0.24 (X11/20100318)

Is the 'password-hash' configuration function a server-wide setting onlyor can it be set to different values for separate databases?

I'm trying to add MAC-auth RADIUS functionality to my LDAP server
(openldap-2.4.21) and I need to store the password for the MAC addresses
in cleartext.  I also use the LDAP server for user login which I don't
want to keep in cleartext.  So, my thought was to have 'password-hash
{SSHA}' for the users database, and 'password-hash {CLEARTEXT}' for the

RADIUS database, but it appears that it's a global so I'm pretty surethis won't work.


Also, how do I verify that the passwords are stored in cleartext?

On a test server, I've created just the radius database with a global'password-hash {CLEARTEXT}', I have the following ldif file that I add with:

ldapadd -x -W -v -D 'cn=Manager,o=radius' -f mac.ldif -h ldap_server

Contents of mac.ldif:
    dn:uid=001e68d08ff9,o=radius
    uid: 001e68d08ff9
    cn: 001e68d08ff9
    userPassword: {cleartext}001e68d08ff9
    objectClass: top
    objectClass: radiusProfile
    objectClass: radiusObjectProfile

but when I use ldapsearch or slapcat to dump the database, the
userPassword line looks to be hashed.
ldap_server# slapcat
    dn: o=radius
    o: radius
    objectClass: top
    objectClass: organization
    structuralObjectClass: organization
    entryUUID: 97ab4273-42ae-4b41-9100-a8106bf766bf
    creatorsName: cn=Manager,o=radius
    createTimestamp: 20100618220235Z
    entryCSN: 20100618220235.020635Z#000000#000#000000
    modifiersName: cn=Manager,o=radius
    modifyTimestamp: 20100618220235Z

    dn: uid=001e68d08ff9,o=radius
    uid: 001e68d08ff9
    cn: 001e68d08ff9
    userPassword:: e2NsZWFydGV4dH0wMDFlNjhkMDhmZjk=
    objectClass: top
    objectClass: radiusprofile
    objectClass: radiusObjectProfile
    structuralObjectClass: radiusObjectProfile
    entryUUID: 591d40f2-a155-4b49-a827-5bfd92ee8c32
    creatorsName: cn=Manager,o=radius
    createTimestamp: 20100619000726Z
    entryCSN: 20100619000726.747404Z#000000#000#000000
    modifiersName: cn=Manager,o=radius
    modifyTimestamp: 20100619000726Z


Here are the relevant lines from the slapd.conf file:
    include         /usr/local/etc/openldap/schema/core.schema
    include         /etc/openldap/schema/cosine.schema
    include         /etc/openldap/schema/inetorgperson.schema
    include         /etc/openldap/schema/nis.schema
    include         /etc/openldap/schema/radius.schema
    password-hash   {CLEARTEXT}
    database        bdb
    suffix          "o=radius"
    rootdn          "cn=Manager,o=radius"
    rootpw          "secret"
    directory       /var/lib/ldap/radius
    index   objectClass     eq
    index ou,cn,uid,memberUid               eq,pres,sub
    index uniqueMember                      eq,pres
    index entryCSN,entryUUID                eq

Follow-Ups:
- Re: Can password-hash be database specific? also, storing and verifying cleartext passwords
  - From: masarati@aero.polimi.it
- Re: Can password-hash be database specific? also, storing and verifying cleartext passwords
  - From: Quanah Gibson-Mount <quanah@zimbra.com>
- RE: Can password-hash be database specific? also, storing and verifying cleartext passwords
  - From: Siddhartha Jain <sjain@silverspringnet.com>
- Re: Can password-hash be database specific? also, storing and verifying cleartext passwords
  - From: "Dieter Kluenter" <dieter@dkluenter.de>

Prev by Date: Re: Copying trees from one consumer to another
Next by Date: Re: Regression failure on openldap-2.4.21 stable (test058-syncrepl-asymmetric)
Index(es):
- Chronological
- Thread