[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Can password-hash be database specific? also, storing and verifying cleartext passwords
> Is the 'password-hash' configuration function a server-wide setting only
Yes.
> or can it be set to different values for separate databases?
No.
> I'm trying to add MAC-auth RADIUS functionality to my LDAP server
> (openldap-2.4.21) and I need to store the password for the MAC addresses
> in cleartext. I also use the LDAP server for user login which I don't
> want to keep in cleartext. So, my thought was to have 'password-hash
> {SSHA}' for the users database, and 'password-hash {CLEARTEXT}' for the
> RADIUS database, but it appears that it's a global so I'm pretty sure
> this won't work.
>
> Also, how do I verify that the passwords are stored in cleartext?
> On a test server, I've created just the radius database with a global
> 'password-hash {CLEARTEXT}', I have the following ldif file that I add
> with:
> ldapadd -x -W -v -D 'cn=Manager,o=radius' -f mac.ldif -h ldap_server
>
> Contents of mac.ldif:
> dn:uid=001e68d08ff9,o=radius
> uid: 001e68d08ff9
> cn: 001e68d08ff9
> userPassword: {cleartext}001e68d08ff9
> objectClass: top
> objectClass: radiusProfile
> objectClass: radiusObjectProfile
>
> but when I use ldapsearch or slapcat to dump the database, the
> userPassword line looks to be hashed.
> ldap_server# slapcat
> dn: o=radius
> o: radius
> objectClass: top
> objectClass: organization
> structuralObjectClass: organization
> entryUUID: 97ab4273-42ae-4b41-9100-a8106bf766bf
> creatorsName: cn=Manager,o=radius
> createTimestamp: 20100618220235Z
> entryCSN: 20100618220235.020635Z#000000#000#000000
> modifiersName: cn=Manager,o=radius
> modifyTimestamp: 20100618220235Z
>
> dn: uid=001e68d08ff9,o=radius
> uid: 001e68d08ff9
> cn: 001e68d08ff9
> userPassword:: e2NsZWFydGV4dH0wMDFlNjhkMDhmZjk=
This is the base64 encoding of "{cleartext}001e68d08ff9"
Please note that slapd will hold what you store in it. password-hash only
hashes passwords that are written by the password modify extended
operation (RFC3062). So if you write passwords using an add or a modify
operation, it will be stored as it is provided.
p.