I'm gathering from reading various sites that openldap doesn't allow a person to specify multiple hash algorithms in the slapd.conf file. Is this correct? If only one is able to be listed then when I specify a password in a custom client openldap will automatically hash the plaintext version of the password that I supply to it so that the password is stored in hashed form, is that correct?
One last question, if multiple hashes can't be listed in the slapd.conf, would a user be able to specify which type of hash he/she wishes to use when they go to change their password using a client or would the hash specifier (e.g. {MD5} ) become part of the password when that is attempted?
thanks
Brandon McCombs wrote:
I'm gathering from reading various sites that openldap doesn't allow a person to specify multiple hash algorithms in the slapd.conf file. Is this correct?
Gathering info from various sites around the web is a bad idea, when the info is plainly available in the OpenLDAP documentation, in this case the slapd.conf(5) manpage:
password-hash <hash> [<hash>...] This option configures one or more hashes to be used in generation of user passwords stored in the userPassword attribute during processing of LDAP Password Modify Extended Operations (RFC 3062).
As usual - it's great that people want to help out and write up their experiences using the software. It would be better if they actually brought their writeups back into the Project (e.g., submissions to ITS) so that they could be checked for accuracy, and eventually merged into the Project's own doc offerings and regularly maintained. The vast majority of 3rd party docs on the web is either outdated and no longer correct, or was never correct in the first place. Until people realize that going off on their own to write something is self-defeating (that goes for both code and documentation) they're only going to do more harm than good. The community works because we all learn from each other and all of our work improves as a result. Working outside of the community will only generate dead ends.
Howard Chu wrote:
Brandon McCombs wrote:
I'm gathering from reading various sites that openldap doesn't allow a person to specify multiple hash algorithms in the slapd.conf file. Is this correct?
Gathering info from various sites around the web is a bad idea, when the info is plainly available in the OpenLDAP documentation, in this case the slapd.conf(5) manpage:
password-hash <hash> [<hash>...] This option configures one or more hashes to be used in generation of user passwords stored in the userPassword attribute during processing of LDAP Password Modify Extended Operations (RFC 3062).
As usual - it's great that people want to help out and write up their experiences using the software. It would be better if they actually brought their writeups back into the Project (e.g., submissions to ITS) so that they could be checked for accuracy, and eventually merged into the Project's own doc offerings and regularly maintained. The vast majority of 3rd party docs on the web is either outdated and no longer correct, or was never correct in the first place. Until people realize that going off on their own to write something is self-defeating (that goes for both code and documentation) they're only going to do more harm than good. The community works because we all learn from each other and all of our work improves as a result. Working outside of the community will only generate dead ends.
The info I found never explicitly stated either way whether multiple hashes could be listed but since the info I found would only list one hash in the examples I had to assume that multiple hashes weren't allowed since the text wouldn't claim otherwise. I didn't have access to the manpage on my local setup so thanks for the information Howard.
Brandon McCombs wrote:
The info I found never explicitly stated either way whether multiple hashes could be listed but since the info I found would only list one hash in the examples I had to assume that multiple hashes weren't allowed since the text wouldn't claim otherwise. I didn't have access to the manpage on my local setup so thanks for the information Howard.
Hm, who would create an OpenLDAP installation without the manpages? And of course, there's always the OpenLDAP website. http://www.openldap.org/software/man.cgi?query=slapd.conf&apropos=0&...
On another note, to the community at large - when you run across documents around the web that talk about OpenLDAP, you might want to write to the authors of such pages and suggest that they contribute their documents to the Project. It'll get more exposure for them, and the amount of accurate documentation will increase.
Howard Chu wrote:
Brandon McCombs wrote:
The info I found never explicitly stated either way whether multiple hashes could be listed but since the info I found would only list one hash in the examples I had to assume that multiple hashes weren't allowed since the text wouldn't claim otherwise. I didn't have access to the manpage on my local setup so thanks for the information Howard.
Hm, who would create an OpenLDAP installation without the manpages? And of course, there's always the OpenLDAP website. http://www.openldap.org/software/man.cgi?query=slapd.conf&apropos=0&...
On another note, to the community at large - when you run across documents around the web that talk about OpenLDAP, you might want to write to the authors of such pages and suggest that they contribute their documents to the Project. It'll get more exposure for them, and the amount of accurate documentation will increase.
Sorry for not being clear. When I said "my local setup" I didn't mean my local OpenLDAP setup but just my PC in general. I actually am having a friend of mine host OpenLDAP now instead of running it myself so it wasn't easy to look at the manpage. I usually forget about them too which is why I even missed it on the openldap.org site. I'll keep your other note in mind though because it would be better if there was a single source for comprehensive documentation.
<quote who="Brandon McCombs">
Howard Chu wrote:
Brandon McCombs wrote:
The info I found never explicitly stated either way whether multiple hashes could be listed but since the info I found would only list one hash in the examples I had to assume that multiple hashes weren't allowed since the text wouldn't claim otherwise. I didn't have access to the manpage on my local setup so thanks for the information Howard.
Hm, who would create an OpenLDAP installation without the manpages? And of course, there's always the OpenLDAP website. http://www.openldap.org/software/man.cgi?query=slapd.conf&apropos=0&...
On another note, to the community at large - when you run across documents around the web that talk about OpenLDAP, you might want to write to the authors of such pages and suggest that they contribute their documents to the Project. It'll get more exposure for them, and the amount of accurate documentation will increase.
Sorry for not being clear. When I said "my local setup" I didn't mean my local OpenLDAP setup but just my PC in general. I actually am having a friend of mine host OpenLDAP now instead of running it myself so it wasn't easy to look at the manpage. I usually forget about them too which is why I even missed it on the openldap.org site. I'll keep your other note in mind though because it would be better if there was a single source for comprehensive documentation.
Hi,
Did you miss our Admin Guide, listed on the front page of the main site?
If so, do you think it is named correctly, positioned correctly? Have you read it and think it wasn't clear?
What would *you* like to see in our guide/docs?
We (OpenLDAP team) are working on a new guide for 2.4, which lists all these features, of what I call "Advanced OpenLDAP", which isn't really, but that title will grab users/admins eyes and hopefully cover what you missed.
Any thoughts from all welcomed.
Gavin.
openldap-software@openldap.org
-
Brandon McCombs -
Gavin Henry -
Howard Chu