Is the 'password-hash' configuration function a server-wide setting only
Yes.
or can it be set to different values for separate databases?
No.
I'm trying to add MAC-auth RADIUS functionality to my LDAP server (openldap-2.4.21) and I need to store the password for the MAC addresses in cleartext. I also use the LDAP server for user login which I don't want to keep in cleartext. So, my thought was to have 'password-hash {SSHA}' for the users database, and 'password-hash {CLEARTEXT}' for the RADIUS database, but it appears that it's a global so I'm pretty sure this won't work.
Also, how do I verify that the passwords are stored in cleartext? On a test server, I've created just the radius database with a global 'password-hash {CLEARTEXT}', I have the following ldif file that I add with: ldapadd -x -W -v -D 'cn=Manager,o=radius' -f mac.ldif -h ldap_server
Contents of mac.ldif: dn:uid=001e68d08ff9,o=radius uid: 001e68d08ff9 cn: 001e68d08ff9 userPassword: {cleartext}001e68d08ff9 objectClass: top objectClass: radiusProfile objectClass: radiusObjectProfile
but when I use ldapsearch or slapcat to dump the database, the userPassword line looks to be hashed. ldap_server# slapcat dn: o=radius o: radius objectClass: top objectClass: organization structuralObjectClass: organization entryUUID: 97ab4273-42ae-4b41-9100-a8106bf766bf creatorsName: cn=Manager,o=radius createTimestamp: 20100618220235Z entryCSN: 20100618220235.020635Z#000000#000#000000 modifiersName: cn=Manager,o=radius modifyTimestamp: 20100618220235Z
dn: uid=001e68d08ff9,o=radius uid: 001e68d08ff9 cn: 001e68d08ff9 userPassword:: e2NsZWFydGV4dH0wMDFlNjhkMDhmZjk=
This is the base64 encoding of "{cleartext}001e68d08ff9"
Please note that slapd will hold what you store in it. password-hash only hashes passwords that are written by the password modify extended operation (RFC3062). So if you write passwords using an add or a modify operation, it will be stored as it is provided.
p.