I thought I could use something like "credentials={SSHA}/iiPJIZ2Srf+O0HqLIypyKYKccx9V6ag" with idassert-bind or acl-bind in configuring an ldap backend in slapd.conf, instead of including the cleartext password. But when I try that I get an "invalid credentials" error from the proxied Active Directory. I've carefully regenerated the hashed value with slappasswd and repasted the new value into my slapd.conf file, so I'm pretty sure that the hash is correct.
Is there a right way to obfuscate passwords that will be sent to a proxied AD server?
Thanks.
Steve
Steve Eckmann wrote:
I thought I could use something like “credentials={SSHA}/iiPJIZ2Srf+O0HqLIypyKYKccx9V6ag” with idassert-bind or acl-bind in configuring an ldap backend in slapd.conf, instead of including the cleartext password. But when I try that I get an “invalid credentials” error from the proxied Active Directory. I’ve carefully regenerated the hashed value with slappasswd and repasted the new value into my slapd.conf file, so I’m pretty sure that the hash is correct.
Clients always need clear-text credentials.
Ciao, Michael.
Thanks, Michael. So the ldap backend acting as a client needs cleartext credentials; I see that now.
Is there some conventional way to provide the cleartext password to slapd-ldap without exposing it in the slapd.conf file?
Regards, Steve
-----Original Message----- From: Michael Ströder [mailto:michael@stroeder.com] Sent: Monday, April 22, 2013 10:28 AM To: Steve Eckmann; openldap-technical@openldap.org Subject: Re: hashed credentials for idassert-bind?
Steve Eckmann wrote:
I thought I could use something like "credentials={SSHA}/iiPJIZ2Srf+O0HqLIypyKYKccx9V6ag" with idassert-bind or acl-bind in configuring an ldap backend in slapd.conf, instead of including the cleartext password. But when I try that I get an "invalid credentials" error from the proxied Active Directory. I've carefully regenerated the hashed value with slappasswd and repasted the new value into my slapd.conf file, so I'm pretty sure that the hash is correct.
Clients always need clear-text credentials.
Ciao, Michael.
--On Monday, April 22, 2013 6:35 PM +0000 Steve Eckmann steve.eckmann@issinc.com wrote:
Thanks, Michael. So the ldap backend acting as a client needs cleartext credentials; I see that now.
Is there some conventional way to provide the cleartext password to slapd-ldap without exposing it in the slapd.conf file?
You could use the cn=config backend, then it would be in slapd.d or whatever you named it. But it is still going to exist on-disk.
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
Yes, that makes sense. Thanks. -steve
-----Original Message----- From: Quanah Gibson-Mount [mailto:quanah@zimbra.com] Sent: Monday, April 22, 2013 12:58 PM To: Steve Eckmann Cc: openldap-technical@openldap.org Subject: RE: hashed credentials for idassert-bind?
--On Monday, April 22, 2013 6:35 PM +0000 Steve Eckmann steve.eckmann@issinc.com wrote:
Thanks, Michael. So the ldap backend acting as a client needs cleartext credentials; I see that now.
Is there some conventional way to provide the cleartext password to slapd-ldap without exposing it in the slapd.conf file?
You could use the cn=config backend, then it would be in slapd.d or whatever you named it. But it is still going to exist on-disk.
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
openldap-technical@openldap.org
-
Michael Ströder -
Quanah Gibson-Mount -
Steve Eckmann