-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hello,
let's open up old wounds. Ok, it sounds jerky, but I don't mean it.
Anyway. As the subject suggests, my question is how to code application which allows user to change his password. Or better to ask, if there is some [to me] unknown LDAP function which figures out what password encryption [hash] is used and generates new hash of password, if application should have idea at all what kind of password encryption is used. I think this is just impossible. Login is one thing, changing password is another. Please, don't suggest using % slappasswd; for generating hash. This is really no good way to do it and also, % slappaswd; is not all knowing, or is it? Yeah, it could save up the need to code up for whatever hash is used, yet calling external application, which doesn't even have to be present at system since LDAP can be used over network, it's just no funky enough.
Please, don't mind the tone if it doesn't look normal or neutral. There is no intention to be offensive or flame, but to get the answer and solution.
So far, I've implemented functions for CRYPT and later for SSHA. Users can't choose what hash will be used - and of course, there is no such intention. The point is, I haven't figured out other way. And it's not just an application, but ldap-tools too. Add new user? Use % slappasswd; Changing password from cmd-line? Use % slappaswd;
Regards, Zdenek
PS: This question backtracks couple months back. I've tried to ask and clarify this, but ... let's say it got lost in the static :)
- -- Zdenek Styblik Net/Linux admin OS TurnovFree.net email: stybla@turnovfree.net jabber: stybla@jabber.turnovfree.net
--On Tuesday, December 15, 2009 12:52 AM +0100 Zdenek Styblik stybla@turnovfree.net wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hello,
let's open up old wounds. Ok, it sounds jerky, but I don't mean it.
Why not just issue a password change operation and let the OpenLDAP server use its default encryption mechanism that the admin has specified?
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
Quanah Gibson-Mount wrote:
--On Tuesday, December 15, 2009 12:52 AM +0100 Zdenek Styblik stybla@turnovfree.net wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hello,
let's open up old wounds. Ok, it sounds jerky, but I don't mean it.
Why not just issue a password change operation and let the OpenLDAP server use its default encryption mechanism that the admin has specified?
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc
Zimbra :: the leader in open source messaging and collaboration
As I've explained later, I didn't figure it out/found out how to use such feature nor I'm aware such feature exists. I'll be more than happy to use it. Or I don't know if I did something wrong. Could you please provide some example in case it's different from:
--- SNIP --- changetype: modify userPassword: mySecretPasswd --- SNIP ---
where 'mySecretPasswd' is in clear text and LDAP is supposed to know what to do exactly with userPassword. In another words, get default password encryption, generate hash, store password.
At least I think I did it like this. I don't recall correctly, as it was wrong way do change password and since then I'm using % slappasswd; to get hash when in command-line or function in application[s].
Thanks, Zdenek
--On Tuesday, December 15, 2009 1:23 AM +0100 Zdenek Styblik stybla@turnovfree.net wrote:
As I've explained later, I didn't figure it out/found out how to use such feature nor I'm aware such feature exists. I'll be more than happy to use it. Or I don't know if I did something wrong. Could you please provide some example in case it's different from:
--- SNIP --- changetype: modify userPassword: mySecretPasswd --- SNIP ---
where 'mySecretPasswd' is in clear text and LDAP is supposed to know what to do exactly with userPassword. In another words, get default password encryption, generate hash, store password.
At least I think I did it like this. I don't recall correctly, as it was wrong way do change password and since then I'm using % slappasswd; to get hash when in command-line or function in application[s].
Well, I'd suggest you start by looking at the code for ldappaswd, which is freely distributed with the OpenLDAP source. In addition, you can read about the RFC at:
http://tools.ietf.org/html/rfc3062
And here's an example using perl:
http://search.cpan.org/~gbarr/perl-ldap/lib/Net/LDAP/FAQ.pod#Ho_do_I_reset_a_user%27s_password_...
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
Quanah Gibson-Mount wrote:
--On Tuesday, December 15, 2009 1:23 AM +0100 Zdenek Styblik stybla@turnovfree.net wrote:
As I've explained later, I didn't figure it out/found out how to use such feature nor I'm aware such feature exists. I'll be more than happy to use it. Or I don't know if I did something wrong. Could you please provide some example in case it's different from:
--- SNIP --- changetype: modify userPassword: mySecretPasswd --- SNIP ---
where 'mySecretPasswd' is in clear text and LDAP is supposed to know what to do exactly with userPassword. In another words, get default password encryption, generate hash, store password.
At least I think I did it like this. I don't recall correctly, as it was wrong way do change password and since then I'm using % slappasswd; to get hash when in command-line or function in application[s].
Well, I'd suggest you start by looking at the code for ldappaswd, which is freely distributed with the OpenLDAP source. In addition, you can read about the RFC at:
http://tools.ietf.org/html/rfc3062
And here's an example using perl:
http://search.cpan.org/~gbarr/perl-ldap/lib/Net/LDAP/FAQ.pod#Ho_do_I_reset_a_user%27s_password_...
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc
Zimbra :: the leader in open source messaging and collaboration
Great and thanks. If you can, please consider adding this to OpenLDAP admin guide appendices or something like that. :)
Zdenek
Quanah Gibson-Mount wrote:
http://tools.ietf.org/html/rfc3062
And here's an example using perl:
http://search.cpan.org/~gbarr/perl-ldap/lib/Net/LDAP/FAQ.pod#Ho_do_I_reset_a_user%27s_password_...
And for the folks who prefer Python:
http://www.python-ldap.org/doc/html/ldap.html#ldap.LDAPObject.passwd
It wraps OpenLDAP libldap's function ldap_passwd().
Ciao, Michael.
Zdenek Styblik wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hello,
let's open up old wounds. Ok, it sounds jerky, but I don't mean it.
Anyway. As the subject suggests, my question is how to code application which allows user to change his password. Or better to ask, if there is some [to me] unknown LDAP function which figures out what password encryption [hash] is used and generates new hash of password, if application should have idea at all what kind of password encryption is used. I think this is just impossible. Login is one thing, changing password is another.
That's what ldappasswd is for. And no, the application should never have any idea what encryption a server uses. That's purely a server-internal issue.
Howard Chu wrote:
Zdenek Styblik wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hello,
let's open up old wounds. Ok, it sounds jerky, but I don't mean it.
Anyway. As the subject suggests, my question is how to code application which allows user to change his password. Or better to ask, if there is some [to me] unknown LDAP function which figures out what password encryption [hash] is used and generates new hash of password, if application should have idea at all what kind of password encryption is used. I think this is just impossible. Login is one thing, changing password is another.
That's what ldappasswd is for. And no, the application should never have any idea what encryption a server uses. That's purely a server-internal issue.
Then there should be API or mechanisms which do allow such behavior. If you mean calling % ldappasswd; as an external script, then it is % slappasswd; all over again. Such option is always the last one. But, this is just my opinion and I'm perfectly fine if you don't agree :)
Zdenek
Howard Chu wrote:
Zdenek Styblik wrote:
Anyway. As the subject suggests, my question is how to code application which allows user to change his password. Or better to ask, if there is some [to me] unknown LDAP function which figures out what password encryption [hash] is used and generates new hash of password, if application should have idea at all what kind of password encryption is used. I think this is just impossible. Login is one thing, changing password is another.
That's what ldappasswd is for. And no, the application should never have any idea what encryption a server uses. That's purely a server-internal issue.
Oh, well...
http://www.openldap.org/its/index.cgi?findid=6250
SCNR. ;-}
Ciao, Michael.
openldap-technical@openldap.org
-
Howard Chu -
Michael Ströder -
Quanah Gibson-Mount -
Zdenek Styblik