[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Can password-hash be database specific? also, storing and verifying cleartext passwords



masarati@aero.polimi.it wrote:
-----Original Message-----
Is the 'password-hash' configuration function a server-wide setting
only
or can it be set to different values for separate databases?
I'm trying to add MAC-auth RADIUS functionality to my LDAP server
(openldap-2.4.21) and I need to store the password for the MAC
addresses
in cleartext.  I also use the LDAP server for user login which I don't
want to keep in cleartext.  So, my thought was to have 'password-hash
{SSHA}' for the users database, and 'password-hash {CLEARTEXT}' for the
RADIUS database, but it appears that it's a global so I'm pretty sure
this won't work.

Yes, each database can have a different hashing mechanism set.
http://www.openldap.org/software/man.cgi?query=slapd-config&apropos=0&sektion=0&manpath=OpenLDAP+2.4-Release&format=html

I'm afraid that man page is incorrect.  As far as I know, that directive
is global, not database specific.  That's what I get from the code (and
what I remembered).  You can check yourself by adding the directive and
inspecting the content of cn=config.

We need at least to fix the manpage.

The manpage is correct. It clearly states "This setting is only allowed in the frontend entry."


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/