Because possibility to use hashed passwords value for user authentication is very big security risk.
You can maybe read userpassword atributes for all OpenLDAP users (if ACL are defined incorrectly) and after that perform any operation as any "legal" authenticated user.
As solution for this problem OpenLDAP (or any other system) must accept only cleartext password.
Andris Eiduks
System security specialist TietoEnator SIA Banking & Insurance
-----Original Message----- From: openldap-software-bounces+andris.eiduks=tietoenator.com@OpenLDAP.org [mailto:openldap-software-bounces+andris.eiduks=tietoenator.com@OpenLDAP .org] On Behalf Of Buchan Milne Sent: Wednesday, April 04, 2007 12:19 PM To: openldap-software@openldap.org Cc: Rocky Zhou Subject: Re: why '{SSHA}***' method is "Invalid credentials (49)"?
On Tuesday 03 April 2007, Rocky Zhou wrote:
Now I'm making the openldap and Kerberos working together, I have a question about the password the ldap used. The configuration file /usr/local/etc/openldap/slapd.conf has these lines: # rootpw secret rootpw {SSHA}n+R5iqJRHTiaosqPJVx03NF+bIStW6pQ while the second line is generated by slappasswd, I tried to use: sh$ ldapadd -x -h localhost -D "cn=ldapadmin,dc=shoepx,dc=org" -f passwd.ldif -w '{SSHA}n+R5iqJRHTiaosqPJVx03NF+bIStW6pQ' to import accounts info into the database, but it reports: ldap_bind: Invalid credentials (49)
If I use: rootpw secret sh$ ldapadd -x -h localhost -D "cn=ldapadmin,dc=shoepx,dc=org" -f passwd.ldif -w 'secret', it works.
So why does the '{SSHA}' method failed?
Because a hashes are one-way.
It would be pointless if you could use the hash as a clear-text equivalent.
If you want strong authentication, don't use simple binds (thus, you need to end up removing rootpw).
Regards, Buchan