Vinh.CTR.Hoang@faa.gov writes:

> I'm on solaris 9 with Openldap 2.3.35.  I have the password set
as

> "clear" in the ldap.conf

There is no such option in OpenLDAP's ldap.conf.  Maybe you are using

a Solaris client, you'll have to see what that keyword means there.

However...

> and password-hash as {MD5} in slapd.conf.

This is not related to authentication.  See man slapd.conf: it means

that when you modify the password with the Password Modify extended

operation (e.g. OpenLDAP client ldappasswd) then slapd will hash the new

password and store it as "{MD5}<md5-hash>".

> Am I safe to assume that with these settings, it means that the client

> will be sent the passwords over the server as clear text and the

> server will hash it to MD5 before checking against its stored password

> list? If it is not the case, then how should I configure the client

> and server to be the case?

The LDAP Simple Bind operation always send the password in the clear.

The server checks it against the user's userPassword attribute.  That

attribute includes a "{hash algorithm}" prefix if it is hashed,
so slapd

can know how to compare.

If you've just taken MD5 hashes and stuffed them into OpenLDAP without

an {MD5} prefix, that won't work.  Also there are actually several
kinds

of MD5 hashes out there - e.g. a Unix crypt extension supports hashes

which look something like "$1$...$....".  In our server
we store those

with a "{CRYPT}" prefix since it is crypt() which handles that
(on

Linux).  Then there are salted and unsalted MD5s - if you have salted,

you should use "{SMD5}", not "{MD5}".

-- 

Hallvard