Hi there guys, what I'm going to ask may be is insane, and I'm awaiting the storm to come :)
I know that there is a directive/option password-hash that allows me to store the password in plain taxt for example or whatever I want. As far as I know, this only apllies to the server, If I set up a replication server, is there a way to tell the replication server to store in difefferent format , for exmaple, to store them in plain text? or at least for a especific user via ACL to store it's password in plain text?
Thanks for your time and support.
Net Warrior writes:
Hi there guys, what I'm going to ask may be is insane, and I'm awaiting the storm to come :)
Yes, it is:-)
I know that there is a directive/option password-hash that allows me to store the password in plain taxt for example or whatever I want.
Not exactly. If you modify a password with the Password Modify LDAP operation, the server will hash it before storing it. See the password-hash directive in the slapd.conf(5) manpage for how, and which hash scemes are available. The one you ask for is {CLEARTEXT}.
OTOH when you store a userPassword with the regular LDAP Add or Modify operations, it is stored exactly as you provided it. E.g. in cleartext if you sent it it cleartext. Or as userPassword: {hash-scheme}hashvalue if you send that.
As far as I know, this only apllies to the server,
Looks like you mean the master server.
If I set up a replication server, is there a way to tell the replication server to store in difefferent format , for exmaple, to store them in plain text?
Turning a hashed password into a cleartext password is known as cracking the password. If a server (master, replication server or client) can do that, so can an attacker.
On the other hand if the master server has the cleartext password and you want a slave server to have a hashed password, I suppose an overlay in the slave could handle that. Intercept modify/add operations and act like Password Modify. I seem to remember someone had written such an overlay, but I don't remember where it is.
openldap-software@openldap.org