[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: opeLDAP + backsql + salted_hashed_password, how to adopt the mappings



On 12/16/12 08:55 +0100, DavidHornung wrote:
I already set up a self-compiled openldap-server 2.4.33 on CentOS6 with
back-sql, especially posgtresql as backend.  I am already able to
authenticate from my MoinMoin Wiki via LDAP - but up to now the
passwords are saved in clear text in the postgresql table.

Now I want to save the passwords as salted hash, rearding to postgresql documentation

See chapter 14.4 of the OpenLDAP Administrator's Guide.

If the output of your postgresql crypt function produces a compatible
format, use a concatenation function to prepend '{CRYPT}' (or other
identifier) to your hash before postgresql hands the data off to back-sql.

On 12/16/12 12:04 +0100, DavidHornung wrote:
I have to say thank you! I changed in the table ldap_attr_mappings the value of userPassword from
persons.password

to
text('{CRYPT}'||persons.password)

Now I am able to auth again the salted MD5 passwords!

One further question:
I tried to use blowfish
UPDATE persons SET password = crypt('secret', gen_salt('bf'));
instead of md5
UPDATE persons SET password = crypt('secret', gen_salt('bf'));

but i could not authenticate, what could be the problem?

Check your local manpage for crypt(3) to see if blowfish is supported on
your system, and that the ID matches the postgresql output.

--
Dan White