hi,
I have a question about the password management. As i know, it is possible to use hach functions into openLDAP, for exemple:
password-hash {CRYPT} password-crypt-salt-format "$1$somesalt$"
my question is about the compatibility with applications. today, we have some applications that uses openLDAP to create and authenticate users. Is there a way to say to openLDAP to hash received userPassword before inserting it into his database?
exemple: imagine an application (application1) that wants to insert a new record (user account) in a openLDAP directory. Application1 doesn't know how to hash a password, is there a way to say to openLDAP to hash this password before adding the entry.
application1 ----------userPassword: testpasswd-----> openLDAP (hash(testpasswd))------------->bdb ({CRYPT}$1$salt$EdFRTTT.BNHH.
the goal is to make openLDAP manage the hashing process and avoid to patch the applications
thank you
daniel rahmeh writes:
password-hash {CRYPT} password-crypt-salt-format "$1$somesalt$"
my question is about the compatibility with applications. today, we have some applications that uses openLDAP to create and authenticate users. Is there a way to say to openLDAP to hash received userPassword before inserting it into his database?
As the slapd.conf manpage says, the above directives tell slapd to hash the password (and how to do so) if the client changes a password using the Password Modify extended operation, but not if it uses plain Add/Modify operations.
Sigh. One paragraph, one thinko/edit error... I wrote:
As the slapd.conf manpage says, the above directives tell slapd to hash the password (and how to do so)
No they tell it how to do so. Default {SSHA} like it says.
if the client changes a password using the Password Modify extended operation, but not if it uses plain Add/Modify operations.
On Thu, May 29, 2008 at 3:53 PM, Hallvard B Furuseth h.b.furuseth@usit.uio.no wrote:
Sigh. One paragraph, one thinko/edit error... I wrote:
As the slapd.conf manpage says, the above directives tell slapd to hash the password (and how to do so)
No they tell it how to do so. Default {SSHA} like it says.
if the client changes a password using the Password Modify extended operation, but not if it uses plain Add/Modify operations.
-- Hallvard
hi,
thank you for the answer, i've have found a way to deal with it, it can be done via the ppolicy module
overlay ppolicy ppolicy_default "cn=Standard,ou=politiqueMDP,dc=cvf,dc=fr" ppolicy_hash_cleartext
the last line tells openLDAP to hash the password even if the application send it as plain text
thank you
Daniel
Hallvard B Furuseth wrote:
Sigh. One paragraph, one thinko/edit error... I wrote:
As the slapd.conf manpage says, the above directives tell slapd to hash the password (and how to do so)
No they tell it how to do so. Default {SSHA} like it says.
if the client changes a password using the Password Modify extended operation, but not if it uses plain Add/Modify operations.
But see the slapo-ppolicy manpage. ppolicy_hash_cleartext.
openldap-technical@openldap.org
-
daniel rahmeh -
Hallvard B Furuseth -
Howard Chu