Hello everyone,
I have a quick question about changing passwords and having them encrypted.
We are running OpenLDAP VERSION: 2.3.39,REV=2008.01.01
This is in slapd.conf: password-hash {CRYPT} password-crypt-salt-format "$1$%.8s"
The passwords are changed via ldapmodify of the Net::LDAP perl module. The changes work, however, the new passwords are unencrypted, at least the infamous ldap browser tells me that.
Honestly, I have no idea where else to look. Could someone provide a pointer into the right direction?
Regards, Claus
Kick, Claus writes:
This is in slapd.conf: password-hash {CRYPT} password-crypt-salt-format "$1$%.8s"
The passwords are changed via ldapmodify of the Net::LDAP perl module. The changes work, however, the new passwords are unencrypted, at least the infamous ldap browser tells me that.
Honestly, I have no idea where else to look. Could someone provide a pointer into the right direction?
Try the slapd.conf manpage:
password-hash <hash> [<hash>...] This option configures one or more hashes to be used in generation of user passwords stored in the userPassword attribute during processing of LDAP Password Modify Extended Operations (RFC 3062). (...) Note that this option does not alter the normal user applications handling of userPassword during LDAP Add, Modify, or other LDAP operations.
Kick, Claus writes:
This is in slapd.conf: password-hash {CRYPT} password-crypt-salt-format "$1$%.8s"
The passwords are changed via ldapmodify of the Net::LDAP perl
module.
The changes work, however, the new passwords are unencrypted, at
least
the infamous ldap browser tells me that.
Honestly, I have no idea where else to look. Could someone provide a pointer into the right direction?
Try the slapd.conf manpage:
Ok, shame on me for not reading that sentence, but it does not really solve the issue. What can I do about this?
Cheers, Claus
On Wednesday 12 March 2008 13:29:20 Kick, Claus wrote:
Kick, Claus writes:
This is in slapd.conf: password-hash {CRYPT} password-crypt-salt-format "$1$%.8s"
The passwords are changed via ldapmodify of the Net::LDAP perl
module.
The changes work, however, the new passwords are unencrypted, at
least
the infamous ldap browser tells me that.
Honestly, I have no idea where else to look. Could someone provide a pointer into the right direction?
Try the slapd.conf manpage:
Ok, shame on me for not reading that sentence, but it does not really solve the issue. What can I do about this?
Either: 1)(Ab)use ppolicy to encrypt passwords for you, by setting: ppolicy_hash_cleartext yes
However, if you don't use ppolicy yet, this is probably overkill, and will introduce some other issues you may not want
2)Fix your script to use the password change extended operation, Net::LDAP does support it, see 'perldoc Net::LDAP::Extension::SetPassword' or 'man Net::LDAP::Extension::SetPassword'
Regards, Buchan
Hello,
Ok, shame on me for not reading that sentence, but it does not really solve the issue. What can I do about this?
2)Fix your script to use the password change extended operation,
Net::LDAP
does support it, see 'perldoc Net::LDAP::Extension::SetPassword' or
'man
Net::LDAP::Extension::SetPassword'
Ok, weird. This module isnt mentioned on http://ldap.perl.org/, but if you know how it is called, you can find it on CPAN. Sigh.
Thanks for helping,
Claus
On Wednesday 12 March 2008 16:10:02 Kick, Claus wrote:
Hello,
Ok, shame on me for not reading that sentence, but it does not really solve the issue. What can I do about this?
2)Fix your script to use the password change extended operation,
Net::LDAP
does support it, see 'perldoc Net::LDAP::Extension::SetPassword' or
'man
Net::LDAP::Extension::SetPassword'
Ok, weird. This module isnt mentioned on http://ldap.perl.org/, but if you know how it is called, you can find it on CPAN. Sigh.
It's part of Net::LDAP, ships in the perl-ldap tarball.
Regards, Buchan
openldap-technical@openldap.org
-
Buchan Milne -
Hallvard B Furuseth -
Kick, Claus