[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Can password-hash be database specific? also, storing and verifying cleartext passwords

To: "Tom Leach" <leach@coas.oregonstate.edu>
Subject: Re: Can password-hash be database specific? also, storing and verifying cleartext passwords
From: masarati@aero.polimi.it
Date: Thu, 24 Jun 2010 18:19:26 +0200 (CEST)
Cc: openldap-technical@openldap.org
Importance: Normal
In-reply-to: <4C20D550.8030503@coas.oregonstate.edu>
References: <4C20D550.8030503@coas.oregonstate.edu>
User-agent: SquirrelMail/1.4.15

> Is the 'password-hash' configuration function a server-wide setting only

Yes.

> or can it be set to different values for separate databases?

No.

> I'm trying to add MAC-auth RADIUS functionality to my LDAP server
> (openldap-2.4.21) and I need to store the password for the MAC addresses
> in cleartext.  I also use the LDAP server for user login which I don't
> want to keep in cleartext.  So, my thought was to have 'password-hash
> {SSHA}' for the users database, and 'password-hash {CLEARTEXT}' for the
> RADIUS database, but it appears that it's a global so I'm pretty sure
> this won't work.
>
> Also, how do I verify that the passwords are stored in cleartext?
> On a test server, I've created just the radius database with a global
> 'password-hash {CLEARTEXT}', I have the following ldif file that I add
> with:
> ldapadd -x -W -v -D 'cn=Manager,o=radius' -f mac.ldif -h ldap_server
>
> Contents of mac.ldif:
>      dn:uid=001e68d08ff9,o=radius
>      uid: 001e68d08ff9
>      cn: 001e68d08ff9
>      userPassword: {cleartext}001e68d08ff9
>      objectClass: top
>      objectClass: radiusProfile
>      objectClass: radiusObjectProfile
>
> but when I use ldapsearch or slapcat to dump the database, the
> userPassword line looks to be hashed.
> ldap_server# slapcat
>      dn: o=radius
>      o: radius
>      objectClass: top
>      objectClass: organization
>      structuralObjectClass: organization
>      entryUUID: 97ab4273-42ae-4b41-9100-a8106bf766bf
>      creatorsName: cn=Manager,o=radius
>      createTimestamp: 20100618220235Z
>      entryCSN: 20100618220235.020635Z#000000#000#000000
>      modifiersName: cn=Manager,o=radius
>      modifyTimestamp: 20100618220235Z
>
>      dn: uid=001e68d08ff9,o=radius
>      uid: 001e68d08ff9
>      cn: 001e68d08ff9
>      userPassword:: e2NsZWFydGV4dH0wMDFlNjhkMDhmZjk=

This is the base64 encoding of "{cleartext}001e68d08ff9"

Please note that slapd will hold what you store in it.  password-hash only
hashes passwords that are written by the password modify extended
operation (RFC3062).  So if you write passwords using an add or a modify
operation, it will be stored as it is provided.

p.

Follow-Ups:
- Re: Can password-hash be database specific? also, storing and verifying cleartext passwords
  - From: Tom Leach <leach@coas.oregonstate.edu>

References:
- Can password-hash be database specific? also, storing and verifying cleartext passwords
  - From: Tom Leach <leach@coas.oregonstate.edu>

Prev by Date: Re: ldaprc with ldaps:// and ldap:// fallback
Next by Date: Re: Can password-hash be database specific? also, storing and verifying cleartext passwords
Index(es):
- Chronological
- Thread