New subject: password hashes and simple binds

23 Nov 2013


      Am Sat, 23 Nov 2013 20:22:56 +0100
schrieb Aleksander Dzierżanowski olo@e-lista.pl:
...
Wiadomość napisana przez Dieter Klünter dieter@dkluenter.de w dniu
23 lis 2013, o godz. 19:57:
...
Am Sat, 23 Nov 2013 13:24:56 +0100
schrieb Michael Ströder michael@stroeder.com:
...
Dieter Klünter wrote:
...
Hi,
I have a ldap server (2.4.36) with various password hashes
{CLEARTEXT} {KERBEROS} {SSHA} for different users, there is no
pasword-hash declaration in slapd.conf. Now i face a strange
behaviour with {CLEARTEXT} hash. that is:
userPassword: {CLEARTEXT} secret
                     ^^^

I'd try to remove this extra space. Not sure though.
Just to demonstrate the various hash scheme {CLEARTEXT} results:
http://pastebin.de/37485
Well, AFAIK if there is no {METHOD} in userPassword attribute than
method is cleartext, so everything works as expected I suppose... —
Olo
It is not that simple. 
RFC-2307 describes hashing schemes, but not {CLEARTEXT), man
slapd.conf(5) mentions {CLEARTEXT} as password-hash.
http://tools.ietf.org/id/draft-stroeder-hashed-userpassword-values-01.html
only refers to hashed userpassword values.
DIGEST-MD5 is a SASL mechanism which requires a cleartext password,
thus a hashing scheme of {CLEARTEXT} is valid for a SASL mechanism. A
simple bind requires a userpassword attribute value in cleartext, but
doesn't require a hashing scheme.
It would be quite helpful if OpenLDAP would accept a hash scheme for a
simple bind.
-Dieter
-- 
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:DA147B05
53°37'09,95"N
10°08'02,42"E

Re: password hashes and simple binds