Marcelo de Moraes Serpa wrote:
Hi Dieter, thanks for the reply.
Yeah, the folks @ #openladp were kind enough to help me to debug this issue. It turned out that it was a simple detail (as mostly always :)) -- When I created the ldif, I've put the password in clear text, however, I didn't do anything to tell openldap that it was actually cleartext nor I knew I had to. The whole time I though it had to do with ACLs (OpenLDAP denying read-access to userPassword), but the problem was that OpenLDAP was trying to authenticate using SHA-1, and the password was stored as clear text.
The solution? Store the password as a SHA-1 hash. Nobody would want to store password as clear-text anyway.
There's nothing wrong with storing a clear-text password like
userPassword: secret_12345
in the directory entry. In fact you have to when e.g. using SASL/DIGEST-MD5 bind with in-directory passwords.
When processing a simple bind slapd looks whether a password is stored in hashed form by looking at a magic prefix like {SSHA}. If that prefix is not there it is assumed that the password is stored in clear and this gets compared.
So, issue solved!
Hmm, I think you mixed up something.
Ciao, Michael.