-----Original Message----- Is the 'password-hash' configuration function a server-wide setting only or can it be set to different values for separate databases? I'm trying to add MAC-auth RADIUS functionality to my LDAP server (openldap-2.4.21) and I need to store the password for the MAC addresses in cleartext. I also use the LDAP server for user login which I don't want to keep in cleartext. So, my thought was to have 'password-hash {SSHA}' for the users database, and 'password-hash {CLEARTEXT}' for the RADIUS database, but it appears that it's a global so I'm pretty sure this won't work.
Yes, each database can have a different hashing mechanism set. http://www.openldap.org/software/man.cgi?query=slapd-config&apropos=0&am...
olcPasswordHash: <hash> [<hash>...] This option configures one or more hashes to be used in generation of user passwords stored in the userPassword attribute during processing of LDAP Password Modify Extended Operations (RFC 3062). The <hash> must be one of {SSHA}, {SHA}, {SMD5}, {MD5}, {CRYPT}, and {CLEARTEXT}. The default is {SSHA}.
You can have more than one password set for a user and have each password use a different hash mechanism.
Also, how do I verify that the passwords are stored in cleartext? On a test server, I've created just the radius database with a global 'password-hash {CLEARTEXT}', I have the following ldif file that I add with:
What you see is a base64 encoded string. http://www.openldap.org/faq/data/cache/1346.html
I am not familiar with MAC-auth RADIUS. Does it require that you pass a clear-text string to the RADIUS server? Mostly, RADIUS should send a "bind" request to LDAP and if that succeeds it will allow auth. If that is the case, you should not have to use clear-text passwords.
Hope this helps,
- Siddhartha