sim123 wrote:
So I did more research and found that java or spring source has APIs for encrypting passwords and I could store the hashed value in openldap. If thats the case would LDPA server be able to retrive the password during bind?
And another interesting read is
http://blogs.oracle.com/DirectoryManager/entry/the_ssha_password_storage_sch...
Is that true for OpenLDAP? Can I use similar algorithm for generating password? Or should password policy will suffice ?
Should be the same. Compare to:
http://www.openldap.org/faq/data/cache/347.html
Generating the salted hash of the password can be done by the client or within slapd when the client sends a LDAP Password Modify extended operation request (RFC 3062) with the clear-text password (as stated in http://www.openldap.org/faq/data/cache/906.html).
Note that there are various forms of bind requests. Hashed passwords in attribute 'userPassword' can only be used with bind methods which sends the plaintext password over the wire (simple bind, SASL/PLAIN) and therefore the communication has to be protected (by LDAPS or LDAP with StartTLS).
Ciao, Michael.