[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Question about password storage.



On 06/07/10 15:44 -0700, Bryan Boone wrote:
Hi Dan thanks for the information.  Let me see if I understand now.

#1.  If I write an application that uses plain LDAP for authentication. 
First I will need to make sure that the openLDAP server has a userPassword
that uses lets say {crypt} hash.  Then, in my application I will need to
hash the clear text password using {crypt}, then bind (transmitt over the
network) using the hashed password.  Is that correct?

No. If you hash the password within the userPassword attribute, then you
will need to submit the cleartext password to the server for hashing
verification.

This process is akin to the Unix crypt process for password verification.
See the man pages for crypt, or http://en.wikipedia.org/wiki/Crypt_(Unix).

It offers no network protection in itself.

#2.  For better security I would use ldap_start_tls.  But the same
password limitations would exist as in #1.  Is that correct?

#3.  If a customer has a special environment and has clear text passwords
stored in openLDAP.  Then the chances are that they will have a special
front-end software (SASL binding) that is more robust and is able to
perform better authentication methods that do not transmitt the password
across the network (ie Digest-MD5).  Is this correct?

DIGEST-MD5 does not transmit the password across the network, that part is
correct.

If you're writing your own application, then you have the opportunity to
develop your SASL logic up front. Fortunately the OpenLDAP client libraries
do the bulk of the work for you.

Many (but not all) clients already support SASL.

Either way, you should consider making TLS a requirement for your users.

________________________________
From: Dan White <dwhite@olp.net>
To: Bryan Boone <v_1bboon@yahoo.com>
Cc: openldap-technical@openldap.org
Sent: Tue, July 6, 2010 3:12:00 PM
Subject: Re: Question about password storage.

On 06/07/10 14:44 -0700, Bryan Boone wrote:
If it is not typical to store passwords in LDAP in hashed form.  Then how
are you supposed to bind to LDAP without transmitting the clear text
password across the network?  I understand that SSL and Kerberos will fix
this problem, but what if a user just wants to use plain LDAP?  Would I
need to dictate to a customer that they must use a hash alg. in the
userPassword in this case?

I believe your question is based on a misinterpretation of the above.
Storing the password in clear text within the userPassword attribute opens
up several SASL based authentication mechanisms which do not transmit the
password over the network, such as with DIGEST-MD5 (See RFC 2831).

--
Dan White