Is the 'password-hash' configuration function a server-wide setting only or can it be set to different values for separate databases? I'm trying to add MAC-auth RADIUS functionality to my LDAP server (openldap-2.4.21) and I need to store the password for the MAC addresses in cleartext. I also use the LDAP server for user login which I don't want to keep in cleartext. So, my thought was to have 'password-hash {SSHA}' for the users database, and 'password-hash {CLEARTEXT}' for the RADIUS database, but it appears that it's a global so I'm pretty sure this won't work.
Also, how do I verify that the passwords are stored in cleartext? On a test server, I've created just the radius database with a global 'password-hash {CLEARTEXT}', I have the following ldif file that I add with: ldapadd -x -W -v -D 'cn=Manager,o=radius' -f mac.ldif -h ldap_server
Contents of mac.ldif: dn:uid=001e68d08ff9,o=radius uid: 001e68d08ff9 cn: 001e68d08ff9 userPassword: {cleartext}001e68d08ff9 objectClass: top objectClass: radiusProfile objectClass: radiusObjectProfile
but when I use ldapsearch or slapcat to dump the database, the userPassword line looks to be hashed. ldap_server# slapcat dn: o=radius o: radius objectClass: top objectClass: organization structuralObjectClass: organization entryUUID: 97ab4273-42ae-4b41-9100-a8106bf766bf creatorsName: cn=Manager,o=radius createTimestamp: 20100618220235Z entryCSN: 20100618220235.020635Z#000000#000#000000 modifiersName: cn=Manager,o=radius modifyTimestamp: 20100618220235Z
dn: uid=001e68d08ff9,o=radius uid: 001e68d08ff9 cn: 001e68d08ff9 userPassword:: e2NsZWFydGV4dH0wMDFlNjhkMDhmZjk= objectClass: top objectClass: radiusprofile objectClass: radiusObjectProfile structuralObjectClass: radiusObjectProfile entryUUID: 591d40f2-a155-4b49-a827-5bfd92ee8c32 creatorsName: cn=Manager,o=radius createTimestamp: 20100619000726Z entryCSN: 20100619000726.747404Z#000000#000#000000 modifiersName: cn=Manager,o=radius modifyTimestamp: 20100619000726Z
Here are the relevant lines from the slapd.conf file: include /usr/local/etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/radius.schema password-hash {CLEARTEXT} database bdb suffix "o=radius" rootdn "cn=Manager,o=radius" rootpw "secret" directory /var/lib/ldap/radius index objectClass eq index ou,cn,uid,memberUid eq,pres,sub index uniqueMember eq,pres index entryCSN,entryUUID eq