[Date Prev][Date Next] [Chronological] [Thread] [Top]

Can password-hash be database specific? also, storing and verifying cleartext passwords



Is the 'password-hash' configuration function a server-wide setting only or can it be set to different values for separate databases?
I'm trying to add MAC-auth RADIUS functionality to my LDAP server
(openldap-2.4.21) and I need to store the password for the MAC addresses
in cleartext.  I also use the LDAP server for user login which I don't
want to keep in cleartext.  So, my thought was to have 'password-hash
{SSHA}' for the users database, and 'password-hash {CLEARTEXT}' for the
RADIUS database, but it appears that it's a global so I'm pretty sure this won't work.

Also, how do I verify that the passwords are stored in cleartext?
On a test server, I've created just the radius database with a global 'password-hash {CLEARTEXT}', I have the following ldif file that I add with:
ldapadd -x -W -v -D 'cn=Manager,o=radius' -f mac.ldif -h ldap_server

Contents of mac.ldif:
    dn:uid=001e68d08ff9,o=radius
    uid: 001e68d08ff9
    cn: 001e68d08ff9
    userPassword: {cleartext}001e68d08ff9
    objectClass: top
    objectClass: radiusProfile
    objectClass: radiusObjectProfile

but when I use ldapsearch or slapcat to dump the database, the
userPassword line looks to be hashed.
ldap_server# slapcat
    dn: o=radius
    o: radius
    objectClass: top
    objectClass: organization
    structuralObjectClass: organization
    entryUUID: 97ab4273-42ae-4b41-9100-a8106bf766bf
    creatorsName: cn=Manager,o=radius
    createTimestamp: 20100618220235Z
    entryCSN: 20100618220235.020635Z#000000#000#000000
    modifiersName: cn=Manager,o=radius
    modifyTimestamp: 20100618220235Z

    dn: uid=001e68d08ff9,o=radius
    uid: 001e68d08ff9
    cn: 001e68d08ff9
    userPassword:: e2NsZWFydGV4dH0wMDFlNjhkMDhmZjk=
    objectClass: top
    objectClass: radiusprofile
    objectClass: radiusObjectProfile
    structuralObjectClass: radiusObjectProfile
    entryUUID: 591d40f2-a155-4b49-a827-5bfd92ee8c32
    creatorsName: cn=Manager,o=radius
    createTimestamp: 20100619000726Z
    entryCSN: 20100619000726.747404Z#000000#000#000000
    modifiersName: cn=Manager,o=radius
    modifyTimestamp: 20100619000726Z


Here are the relevant lines from the slapd.conf file:
    include         /usr/local/etc/openldap/schema/core.schema
    include         /etc/openldap/schema/cosine.schema
    include         /etc/openldap/schema/inetorgperson.schema
    include         /etc/openldap/schema/nis.schema
    include         /etc/openldap/schema/radius.schema
    password-hash   {CLEARTEXT}
    database        bdb
    suffix          "o=radius"
    rootdn          "cn=Manager,o=radius"
    rootpw          "secret"
    directory       /var/lib/ldap/radius
    index   objectClass     eq
    index ou,cn,uid,memberUid               eq,pres,sub
    index uniqueMember                      eq,pres
    index entryCSN,entryUUID                eq