On 08/22/12 19:43 +0300, Adrian Paleacu wrote:
Hi Dan,
Thank you for quick response. So is not possible to inform LDAP service that an already hashed password is passed trough.
You can accomplish hashing of your password, over the network, by binding with SASL. Depending on the mechanism you use, doing so will require you to store your passwords in cleartext on the server. See:
http://www.cyrussasl.org/docs/cyrus-sasl/2.1.25/mechanisms.php
OTP and SRP do not require storing your password in cleartext.
In any case, if your desire is to secure the transmission of your password, the use of TLS is recommended.
If you're asking how to handle the case where you're transitioning to an ldap based authentication scheme from a hashed password store (such as /etc/shadow), see the manpage for crypt(3), and prepend your hashes with {CRYPT} before storing them within slapd.
On Wed, Aug 22, 2012 at 6:06 PM, Dan White dwhite@olp.net wrote:
On 08/22/12 17:48 +0300, Adrian Paleacu wrote:
Hi everyone,
I have a binding question regarding the password. Is possible to send a hashed password to LDAP system. My passwords are hashed and I don't have a way to send it as plain text.
See Section 14.4 of the OpenLDAP Administrator's guide.
If your passwords are stored on your server in certain hashed forms, then slapd will expect you to transmit a cleartext password to be hashed and locally compared with the stored password value.
openldap-technical@openldap.org
-
Dan White