Hello,
I need that the userpasswords are stored hashed. I have configured the slapd.conf file with this option:
password-hash {SSHA}
But when I add users with ldapadd command, I pass the values of userpassword in plain text. Like this:
/opt/openldap/bin/ldapadd -x -D "root_dn" -w pass_dn << _EOF dn: uid=usu3,ou=users,o=my_organization uid: usu2 objectClass: top objectClass: person objectClass: organizationalperson objectClass: inetorgperson cn: my_cn sn: my_sn mail: my_mail@mydomain.com userPassword: usuario _EOF
I think that these values must be stored hashed, but they are only store in plain text in base64.
/opt/openldap/bin/ldapsearch -D cn="root_dn" -w pass_dn -x -b o= my_organization uid=usu3 -LLL
dn: uid=usu3,ou=users,o=my_organization uid: usu2 uid: usu3 objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson cn: my_cn sn: my_sn mail: my_mail@mydomain.com userPassword:: dXN1YXJpbw==
echo dXN1YXJpbw==|base64 -d usuario
What I am doing wrong? Thanks!
On 06/03/13 09:58, arantza serrano wrote:
Hello,
I need that the userpasswords are stored hashed. I have configured the slapd.conf file with this option:
password-hash {SSHA}
Hi,
That only takes effect if the password is set via an Extended Operation password Modify command.
using slapo-ppolicy and setting: ppolicy_hash_cleartext
Will catch your cases and hash them.
Another solution is to pre-hash them before sending to ldapadd. You can use slappasswd for this - or do it directly in perl for example.
Cheers
Tim
Am Wed, 6 Mar 2013 09:58:40 +0000 schrieb arantza serrano zazu2276@hotmail.com:
Hello,
I need that the userpasswords are stored hashed. I have configured the slapd.conf file with this option:
password-hash {SSHA}
But when I add users with ldapadd command, I pass the values of userpassword in plain text. Like this:
/opt/openldap/bin/ldapadd -x -D "root_dn" -w pass_dn << _EOF dn: uid=usu3,ou=users,o=my_organization uid: usu2 objectClass: top objectClass: person objectClass: organizationalperson objectClass: inetorgperson cn: my_cn sn: my_sn mail: my_mail@mydomain.com userPassword: usuario _EOF
[...]
If you add a new entry, create the password hash by mean of slappasswd(8), if you want to modify a user password, use ldappasswd(1).
-Dieter
openldap-technical@openldap.org
-
arantza serrano -
Dieter Klünter -
Tim Watts