On Wed, Sep 14, 2011 at 3:28 PM, Jacobus brogly.decap < jacobusbogers@gmail.com> wrote:
I want to do the same thing,
Best way is to do it via a module , there is an example in the src distribution
/openldap-2.4.23/contrib/slapd-modules/passwd/sha2
basicly you dont want cleartext password stored in the DIT, so you want to hash it
I tried ppolicy overlay with ppolicy_hash_cleartext on, looks like its doing SSHA with ldapadd or ldapmodify operations. However, just wondering if this is the best way.
Thanks
Cheers,
Jacob 2011/9/14 sim123 Sim3159@gmail.com
On Wed, Sep 14, 2011 at 3:00 AM, Buchan Milne <bgmilne@staff.telkomsa.net
wrote:
On Tuesday, 13 September 2011 23:01:23 sim123 wrote:
Hi All,
I am trying to store SSHA passwords in openldap instead of plain text
via C
code and wondering how this works. I tried exploring archives, FAQ etc
and
what I gathered from there is openLDAP has built in support for various password encryption algorithm however it does not have any APIs for generating passwords
Are you sure?
and password-has directive works with ldpapassword utility only.
Really? It seems to work fine from pam_ldap (using 'pam_password exop'), Net::LDAP and various other tools.
http://www.openldap.org/faq/data/cache/906.html
If I use some tool like Apache DS and modify my userPassword attribute
to
be SSHA instead of plain text it all works. I want to know how this
works
under the hood? Who is responsible for generating hashed passwords? If
I
generate it using some C routine how does LDAP Server retrieves it
during
the bind operation? I would really appreciate if there is any related documentation available.
Maybe you should read about the Password Modification extended operation ....
IMHO, you shouldn't be hashing passwords on the client-side, it is much better to let the DS hash the password in the format it is configured for (so you know it will actually be able to use the password, and allowing you to use newer/stronger hashes as and when the DS supports them, without coding the support yourself).
I agree that DS should hash the password, however I am not sure what password modification extended operation is, is it ldappasswd utility or does openLDAP offer some kind of API to do so? Also can how can I configure hashing in SLAPD?
Basically my C program will call ldap_add_ext_s() operation, while doing that how can I make sure that userPassword attribute be treated differently (hashed)? I was looking into password policy and not sure if it suffice my needs.
Regards, Buchan
openldap-technical@openldap.org
-
sim123