Re: Antw: Passwords, Hashing, and Binds
Ulrich Windl wrote:
>>> Bram Cymet <bcymet(a)cbnco.com> schrieb am 28.08.2014
um 22:26 in Nachricht
<53FF9080.1050209(a)cbnco.com>:
> Hi,
>
> I am storing users passwords in a userPassword attribute. When the
> passwords are hashed with MD5 I can bind as the user just fine. If I
> hash the password with sha-256 I get invalid credentials.
I wonder: My slappasswd only knows about {SHA} and {SSHA}, {MD5} and
{SMD5},
{CRYPT}, and {CLEARTEXT}. Section 14.4 of the manual indicates that hashed
passwords are non-standard anyway.
So implement the non-standard on your clients.
No, that's terrible advice. The server should be responsible for all hashing
and verification of hashes, otherwise you are guaranteed to get different
behavior with different clients. This is the reason why the LDAP Bind
operation behaves as it does, and it is the reason why the LDAP PasswordModify
operation exists.
> Is there something I have to change in my client?
> Is there something I have to change on the server?
>
> Is binding a user with a password stored with sha-256 (or at least
> something better then md5) even possible?
>
> Thanks,
>
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/