[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Can password-hash be database specific? also, storing and verifying cleartext passwords
> -----Original Message-----
> Is the 'password-hash' configuration function a server-wide setting
> only
> or can it be set to different values for separate databases?
> I'm trying to add MAC-auth RADIUS functionality to my LDAP server
> (openldap-2.4.21) and I need to store the password for the MAC
> addresses
> in cleartext. I also use the LDAP server for user login which I don't
> want to keep in cleartext. So, my thought was to have 'password-hash
> {SSHA}' for the users database, and 'password-hash {CLEARTEXT}' for the
> RADIUS database, but it appears that it's a global so I'm pretty sure
> this won't work.
Yes, each database can have a different hashing mechanism set.
http://www.openldap.org/software/man.cgi?query=slapd-config&apropos=0&sektion=0&manpath=OpenLDAP+2.4-Release&format=html
olcPasswordHash: <hash> [<hash>...]
This option configures one or more hashes to be used in
generation of user passwords stored in the userPassword
attribute during processing of LDAP Password Modify Extended
Operations (RFC 3062). The <hash> must be one of {SSHA}, {SHA},
{SMD5}, {MD5}, {CRYPT}, and {CLEARTEXT}. The default is {SSHA}.
You can have more than one password set for a user and have each password use a different hash mechanism.
>
> Also, how do I verify that the passwords are stored in cleartext?
> On a test server, I've created just the radius database with a global
> 'password-hash {CLEARTEXT}', I have the following ldif file that I add
> with:
What you see is a base64 encoded string.
http://www.openldap.org/faq/data/cache/1346.html
I am not familiar with MAC-auth RADIUS. Does it require that you pass a clear-text string to the RADIUS server? Mostly, RADIUS should send a "bind" request to LDAP and if that succeeds it will allow auth. If that is the case, you should not have to use clear-text passwords.
Hope this helps,
- Siddhartha