On 06/07/10 15:44 -0700, Bryan Boone wrote:

Hi Dan thanks for the information.  Let me see if I understand now.

#1.  If I write an application that uses plain LDAP for authentication.  First I will need to make sure that the openLDAP server has a userPassword that uses lets say {crypt} hash.  Then, in my application I will need to hash the clear text password using {crypt}, then bind (transmitt over the network) using the hashed password.  Is that correct?

No. If you hash the password within the userPassword attribute, then you will need to submit the cleartext password to the server for hashing verification.

This process is akin to the Unix crypt process for password verification. See the man pages for crypt, or http://en.wikipedia.org/wiki/Crypt_(Unix).

It offers no network protection in itself.

#2.  For better security I would use ldap_start_tls.  But the same password limitations would exist as in #1.  Is that correct?

#3.  If a customer has a special environment and has clear text passwords stored in openLDAP.  Then the chances are that they will have a special front-end software (SASL binding) that is more robust and is able to perform better authentication methods that do not transmitt the password across the network (ie Digest-MD5).  Is this correct?

DIGEST-MD5 does not transmit the password across the network, that part is correct.

If you're writing your own application, then you have the opportunity to develop your SASL logic up front. Fortunately the OpenLDAP client libraries do the bulk of the work for you.

Many (but not all) clients already support SASL.

Either way, you should consider making TLS a requirement for your users.

---

From: Dan White dwhite@olp.net To: Bryan Boone v_1bboon@yahoo.com Cc: openldap-technical@openldap.org Sent: Tue, July 6, 2010 3:12:00 PM Subject: Re: Question about password storage.

On 06/07/10 14:44 -0700, Bryan Boone wrote:

...

If it is not typical to store passwords in LDAP in hashed form.  Then how are you supposed to bind to LDAP without transmitting the clear text password across the network?  I understand that SSL and Kerberos will fix this problem, but what if a user just wants to use plain LDAP?  Would I need to dictate to a customer that they must use a hash alg. in the userPassword in this case?

I believe your question is based on a misinterpretation of the above. Storing the password in clear text within the userPassword attribute opens up several SASL based authentication mechanisms which do not transmit the password over the network, such as with DIGEST-MD5 (See RFC 2831).