RE: Can password-hash be database specific? also, storing and verifying cleartext passwords
-----Original Message----- Is the 'password-hash' configuration function a server-wide setting only or can it be set to different values for separate databases? I'm trying to add MAC-auth RADIUS functionality to my LDAP server (openldap-2.4.21) and I need to store the password for the MAC addresses in cleartext. I also use the LDAP server for user login which I don't want to keep in cleartext. So, my thought was to have 'password-hash {SSHA}' for the users database, and 'password-hash {CLEARTEXT}' for the RADIUS database, but it appears that it's a global so I'm pretty sure this won't work.
Yes, each database can have a different hashing mechanism set. http://www.openldap.org/software/man.cgi?query=slapd-config&apropos=0&am...
I'm afraid that man page is incorrect. As far as I know, that directive is global, not database specific. That's what I get from the code (and what I remembered). You can check yourself by adding the directive and inspecting the content of cn=config.
We need at least to fix the manpage.
p.
masarati@aero.polimi.it wrote:
-----Original Message----- Is the 'password-hash' configuration function a server-wide setting only or can it be set to different values for separate databases? I'm trying to add MAC-auth RADIUS functionality to my LDAP server (openldap-2.4.21) and I need to store the password for the MAC addresses in cleartext. I also use the LDAP server for user login which I don't want to keep in cleartext. So, my thought was to have 'password-hash {SSHA}' for the users database, and 'password-hash {CLEARTEXT}' for the RADIUS database, but it appears that it's a global so I'm pretty sure this won't work.
Yes, each database can have a different hashing mechanism set. http://www.openldap.org/software/man.cgi?query=slapd-config&apropos=0&am...
I'm afraid that man page is incorrect. As far as I know, that directive is global, not database specific. That's what I get from the code (and what I remembered). You can check yourself by adding the directive and inspecting the content of cn=config.
We need at least to fix the manpage.
The manpage is correct. It clearly states "This setting is only allowed in the frontend entry."
The manpage is correct. It clearly states "This setting is only allowed in the frontend entry."
Right; I was mistaken by the fact that olcPasswordHash is allowed by class olcGlobal.
p.
masarati@aero.polimi.it wrote:
The manpage is correct. It clearly states "This setting is only allowed in the frontend entry."
Right; I was mistaken by the fact that olcPasswordHash is allowed by class olcGlobal.
Yes, it's allowed in olcGlobal for backward compatibility with slapd.conf, which didn't enforce any distinction between "global" and "frontend" directives. But it's not evaluated there, since it's possible to specify a hash mechanism that is loaded from a module (and the moduleLoad parsing hasn't occurred yet when olcGlobal is read).
openldap-technical@openldap.org
-
Howard Chu -
masarati@aero.polimi.it