Is the 'password-hash' configuration function a server-wide setting only or can it be set to different values for separate databases? I'm trying to add MAC-auth RADIUS functionality to my LDAP server (openldap-2.4.21) and I need to store the password for the MAC addresses in cleartext. I also use the LDAP server for user login which I don't want to keep in cleartext. So, my thought was to have 'password-hash {SSHA}' for the users database, and 'password-hash {CLEARTEXT}' for the RADIUS database, but it appears that it's a global so I'm pretty sure this won't work.
Also, how do I verify that the passwords are stored in cleartext? On a test server, I've created just the radius database with a global 'password-hash {CLEARTEXT}', I have the following ldif file that I add with: ldapadd -x -W -v -D 'cn=Manager,o=radius' -f mac.ldif -h ldap_server
Contents of mac.ldif: dn:uid=001e68d08ff9,o=radius uid: 001e68d08ff9 cn: 001e68d08ff9 userPassword: {cleartext}001e68d08ff9 objectClass: top objectClass: radiusProfile objectClass: radiusObjectProfile
but when I use ldapsearch or slapcat to dump the database, the userPassword line looks to be hashed. ldap_server# slapcat dn: o=radius o: radius objectClass: top objectClass: organization structuralObjectClass: organization entryUUID: 97ab4273-42ae-4b41-9100-a8106bf766bf creatorsName: cn=Manager,o=radius createTimestamp: 20100618220235Z entryCSN: 20100618220235.020635Z#000000#000#000000 modifiersName: cn=Manager,o=radius modifyTimestamp: 20100618220235Z
dn: uid=001e68d08ff9,o=radius uid: 001e68d08ff9 cn: 001e68d08ff9 userPassword:: e2NsZWFydGV4dH0wMDFlNjhkMDhmZjk= objectClass: top objectClass: radiusprofile objectClass: radiusObjectProfile structuralObjectClass: radiusObjectProfile entryUUID: 591d40f2-a155-4b49-a827-5bfd92ee8c32 creatorsName: cn=Manager,o=radius createTimestamp: 20100619000726Z entryCSN: 20100619000726.747404Z#000000#000#000000 modifiersName: cn=Manager,o=radius modifyTimestamp: 20100619000726Z
Here are the relevant lines from the slapd.conf file: include /usr/local/etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/radius.schema password-hash {CLEARTEXT} database bdb suffix "o=radius" rootdn "cn=Manager,o=radius" rootpw "secret" directory /var/lib/ldap/radius index objectClass eq index ou,cn,uid,memberUid eq,pres,sub index uniqueMember eq,pres index entryCSN,entryUUID eq
Is the 'password-hash' configuration function a server-wide setting only
Yes.
or can it be set to different values for separate databases?
No.
I'm trying to add MAC-auth RADIUS functionality to my LDAP server (openldap-2.4.21) and I need to store the password for the MAC addresses in cleartext. I also use the LDAP server for user login which I don't want to keep in cleartext. So, my thought was to have 'password-hash {SSHA}' for the users database, and 'password-hash {CLEARTEXT}' for the RADIUS database, but it appears that it's a global so I'm pretty sure this won't work.
Also, how do I verify that the passwords are stored in cleartext? On a test server, I've created just the radius database with a global 'password-hash {CLEARTEXT}', I have the following ldif file that I add with: ldapadd -x -W -v -D 'cn=Manager,o=radius' -f mac.ldif -h ldap_server
Contents of mac.ldif: dn:uid=001e68d08ff9,o=radius uid: 001e68d08ff9 cn: 001e68d08ff9 userPassword: {cleartext}001e68d08ff9 objectClass: top objectClass: radiusProfile objectClass: radiusObjectProfile
but when I use ldapsearch or slapcat to dump the database, the userPassword line looks to be hashed. ldap_server# slapcat dn: o=radius o: radius objectClass: top objectClass: organization structuralObjectClass: organization entryUUID: 97ab4273-42ae-4b41-9100-a8106bf766bf creatorsName: cn=Manager,o=radius createTimestamp: 20100618220235Z entryCSN: 20100618220235.020635Z#000000#000#000000 modifiersName: cn=Manager,o=radius modifyTimestamp: 20100618220235Z
dn: uid=001e68d08ff9,o=radius uid: 001e68d08ff9 cn: 001e68d08ff9 userPassword:: e2NsZWFydGV4dH0wMDFlNjhkMDhmZjk=
This is the base64 encoding of "{cleartext}001e68d08ff9"
Please note that slapd will hold what you store in it. password-hash only hashes passwords that are written by the password modify extended operation (RFC3062). So if you write passwords using an add or a modify operation, it will be stored as it is provided.
p.
Thanks for everyone's help. I don't want users passwords stored in clear text in the directory, so I've set the password-hash back to SSHA. Even when it was stored in cleartext, the passwords were base64 encoded and freeradius wasn't seeing that as a match. Since I only need the clear text passwords for machines for MAC-auth via freeradius, I just went ahead and created another schema attribute in our private OID space called userClearPassword, stored the password (MAC address) in that attribute and then on the freeradius server, mapped that attribute to userPassword for the instance that is doing MAC-auth. This keeps my directory users passwords in a good, secure encryption, and allows my switches to MAC-auth against the cleartext passwords via freeradius. My other radius systems use Web-auth but they are using PAP so the encrypted passwords stored in the directory are fine. Thanks again! Tom Leach
On 06/24/2010 09:19 AM, masarati@aero.polimi.it wrote:
Is the 'password-hash' configuration function a server-wide setting only
Yes.
or can it be set to different values for separate databases?
No.
I'm trying to add MAC-auth RADIUS functionality to my LDAP server (openldap-2.4.21) and I need to store the password for the MAC addresses in cleartext. I also use the LDAP server for user login which I don't want to keep in cleartext. So, my thought was to have 'password-hash {SSHA}' for the users database, and 'password-hash {CLEARTEXT}' for the RADIUS database, but it appears that it's a global so I'm pretty sure this won't work.
Also, how do I verify that the passwords are stored in cleartext? On a test server, I've created just the radius database with a global 'password-hash {CLEARTEXT}', I have the following ldif file that I add with: ldapadd -x -W -v -D 'cn=Manager,o=radius' -f mac.ldif -h ldap_server
Contents of mac.ldif: dn:uid=001e68d08ff9,o=radius uid: 001e68d08ff9 cn: 001e68d08ff9 userPassword: {cleartext}001e68d08ff9 objectClass: top objectClass: radiusProfile objectClass: radiusObjectProfile
but when I use ldapsearch or slapcat to dump the database, the userPassword line looks to be hashed. ldap_server# slapcat dn: o=radius o: radius objectClass: top objectClass: organization structuralObjectClass: organization entryUUID: 97ab4273-42ae-4b41-9100-a8106bf766bf creatorsName: cn=Manager,o=radius createTimestamp: 20100618220235Z entryCSN: 20100618220235.020635Z#000000#000#000000 modifiersName: cn=Manager,o=radius modifyTimestamp: 20100618220235Z
dn: uid=001e68d08ff9,o=radius uid: 001e68d08ff9 cn: 001e68d08ff9 userPassword:: e2NsZWFydGV4dH0wMDFlNjhkMDhmZjk=This is the base64 encoding of "{cleartext}001e68d08ff9"
Please note that slapd will hold what you store in it. password-hash only hashes passwords that are written by the password modify extended operation (RFC3062). So if you write passwords using an add or a modify operation, it will be stored as it is provided.
p.
Thanks for everyone's help. I don't want users passwords stored in clear text in the directory, so I've set the password-hash back to SSHA. Even when it was stored in cleartext, the passwords were base64 encoded and freeradius wasn't seeing that as a match.
Passwords are not *stored* base64-encoded; they're just presented base64-encoded. They're stored with their actual value. The reason for back64-encode them when presented is that octet-strings could be non-printable.
p.
--On Tuesday, June 22, 2010 8:22 AM -0700 Tom Leach leach@coas.oregonstate.edu wrote:
userPassword line looks to be hashed.
s/hashed/base 64 encoded
Decode it to see the actual value. <attr>:: always indicates that it is in a base 64-encoded format for LDAP.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
-----Original Message----- Is the 'password-hash' configuration function a server-wide setting only or can it be set to different values for separate databases? I'm trying to add MAC-auth RADIUS functionality to my LDAP server (openldap-2.4.21) and I need to store the password for the MAC addresses in cleartext. I also use the LDAP server for user login which I don't want to keep in cleartext. So, my thought was to have 'password-hash {SSHA}' for the users database, and 'password-hash {CLEARTEXT}' for the RADIUS database, but it appears that it's a global so I'm pretty sure this won't work.
Yes, each database can have a different hashing mechanism set. http://www.openldap.org/software/man.cgi?query=slapd-config&apropos=0&am...
olcPasswordHash: <hash> [<hash>...] This option configures one or more hashes to be used in generation of user passwords stored in the userPassword attribute during processing of LDAP Password Modify Extended Operations (RFC 3062). The <hash> must be one of {SSHA}, {SHA}, {SMD5}, {MD5}, {CRYPT}, and {CLEARTEXT}. The default is {SSHA}.
You can have more than one password set for a user and have each password use a different hash mechanism.
Also, how do I verify that the passwords are stored in cleartext? On a test server, I've created just the radius database with a global 'password-hash {CLEARTEXT}', I have the following ldif file that I add with:
What you see is a base64 encoded string. http://www.openldap.org/faq/data/cache/1346.html
I am not familiar with MAC-auth RADIUS. Does it require that you pass a clear-text string to the RADIUS server? Mostly, RADIUS should send a "bind" request to LDAP and if that succeeds it will allow auth. If that is the case, you should not have to use clear-text passwords.
Hope this helps,
- Siddhartha
Tom Leach leach@coas.oregonstate.edu writes:
[...]
Also, how do I verify that the passwords are stored in cleartext? On a test server, I've created just the radius database with a global 'password-hash {CLEARTEXT}', I have the following ldif file that I add with: ldapadd -x -W -v -D 'cn=Manager,o=radius' -f mac.ldif -h ldap_server
Contents of mac.ldif: dn:uid=001e68d08ff9,o=radius uid: 001e68d08ff9 cn: 001e68d08ff9 userPassword: {cleartext}001e68d08ff9 objectClass: top objectClass: radiusProfile objectClass: radiusObjectProfile
but when I use ldapsearch or slapcat to dump the database, the userPassword line looks to be hashed.
[...]
userPassword:: e2NsZWFydGV4dH0wMDFlNjhkMDhmZjk=
[...]
This is just the base64 encoding of the plaintext password. You may decode this by mmencode -u
-Dieter
openldap-technical@openldap.org
-
Dieter Kluenter -
masarati@aero.polimi.it -
Quanah Gibson-Mount -
Siddhartha Jain -
Tom Leach