Hi All,
I am trying to store SSHA passwords in openldap instead of plain text via C code and wondering how this works. I tried exploring archives, FAQ etc and what I gathered from there is openLDAP has built in support for various password encryption algorithm however it does not have any APIs for generating passwords and password-has directive works with ldpapassword utility only.
http://www.openldap.org/faq/data/cache/906.html
If I use some tool like Apache DS and modify my userPassword attribute to be SSHA instead of plain text it all works. I want to know how this works under the hood? Who is responsible for generating hashed passwords? If I generate it using some C routine how does LDAP Server retrieves it during the bind operation? I would really appreciate if there is any related documentation available.
Thanks for the help and support.
So I did more research and found that java or spring source has APIs for encrypting passwords and I could store the hashed value in openldap. If thats the case would LDPA server be able to retrive the password during bind?
And another interesting read is
http://blogs.oracle.com/DirectoryManager/entry/the_ssha_password_storage_sch...
Is that true for OpenLDAP? Can I use similar algorithm for generating password? Or should password policy will suffice ?
On Tue, Sep 13, 2011 at 2:01 PM, sim123 Sim3159@gmail.com wrote:
Hi All,
I am trying to store SSHA passwords in openldap instead of plain text via C code and wondering how this works. I tried exploring archives, FAQ etc and what I gathered from there is openLDAP has built in support for various password encryption algorithm however it does not have any APIs for generating passwords and password-has directive works with ldpapassword utility only.
http://www.openldap.org/faq/data/cache/906.html
If I use some tool like Apache DS and modify my userPassword attribute to be SSHA instead of plain text it all works. I want to know how this works under the hood? Who is responsible for generating hashed passwords? If I generate it using some C routine how does LDAP Server retrieves it during the bind operation? I would really appreciate if there is any related documentation available.
Thanks for the help and support.
sim123 wrote:
So I did more research and found that java or spring source has APIs for encrypting passwords and I could store the hashed value in openldap. If thats the case would LDPA server be able to retrive the password during bind?
And another interesting read is
http://blogs.oracle.com/DirectoryManager/entry/the_ssha_password_storage_sch...
Is that true for OpenLDAP? Can I use similar algorithm for generating password? Or should password policy will suffice ?
Should be the same. Compare to:
http://www.openldap.org/faq/data/cache/347.html
Generating the salted hash of the password can be done by the client or within slapd when the client sends a LDAP Password Modify extended operation request (RFC 3062) with the clear-text password (as stated in http://www.openldap.org/faq/data/cache/906.html).
Note that there are various forms of bind requests. Hashed passwords in attribute 'userPassword' can only be used with bind methods which sends the plaintext password over the wire (simple bind, SASL/PLAIN) and therefore the communication has to be protected (by LDAPS or LDAP with StartTLS).
Ciao, Michael.
On Tuesday, 13 September 2011 23:01:23 sim123 wrote:
Hi All,
I am trying to store SSHA passwords in openldap instead of plain text via C code and wondering how this works. I tried exploring archives, FAQ etc and what I gathered from there is openLDAP has built in support for various password encryption algorithm however it does not have any APIs for generating passwords
Are you sure?
and password-has directive works with ldpapassword utility only.
Really? It seems to work fine from pam_ldap (using 'pam_password exop'), Net::LDAP and various other tools.
http://www.openldap.org/faq/data/cache/906.html
If I use some tool like Apache DS and modify my userPassword attribute to be SSHA instead of plain text it all works. I want to know how this works under the hood? Who is responsible for generating hashed passwords? If I generate it using some C routine how does LDAP Server retrieves it during the bind operation? I would really appreciate if there is any related documentation available.
Maybe you should read about the Password Modification extended operation ....
IMHO, you shouldn't be hashing passwords on the client-side, it is much better to let the DS hash the password in the format it is configured for (so you know it will actually be able to use the password, and allowing you to use newer/stronger hashes as and when the DS supports them, without coding the support yourself).
Regards, Buchan
Buchan Milne wrote:
IMHO, you shouldn't be hashing passwords on the client-side, it is much better to let the DS hash the password
In some use-cases it is better to do client-side hashing. Especially if you want to set more attributes together with attribute 'userPassword' in a single modify request (which means single transaction).
Ciao, Michael.
On 14/09/2011 16:54, Michael Ströder wrote:
Buchan Milne wrote:
IMHO, you shouldn't be hashing passwords on the client-side, it is much better to let the DS hash the password
In some use-cases it is better to do client-side hashing. Especially if you want to set more attributes together with attribute 'userPassword' in a single modify request (which means single transaction).
I still prefer using Password Modification extended operation. I can use smbk5pwd to automatically update also all the other relevant informations (sambaPwdLastSet, sambaLMPassword, sambaNTPassword), having a much simpler code. It's unfortunate that the patch to update also shadowLastChange was not applied.
Simone
On Wed, Sep 14, 2011 at 3:00 AM, Buchan Milne bgmilne@staff.telkomsa.netwrote:
On Tuesday, 13 September 2011 23:01:23 sim123 wrote:
Hi All,
I am trying to store SSHA passwords in openldap instead of plain text via
C
code and wondering how this works. I tried exploring archives, FAQ etc
and
what I gathered from there is openLDAP has built in support for various password encryption algorithm however it does not have any APIs for generating passwords
Are you sure?
and password-has directive works with ldpapassword utility only.
Really? It seems to work fine from pam_ldap (using 'pam_password exop'), Net::LDAP and various other tools.
http://www.openldap.org/faq/data/cache/906.html
If I use some tool like Apache DS and modify my userPassword attribute to be SSHA instead of plain text it all works. I want to know how this works under the hood? Who is responsible for generating hashed passwords? If I generate it using some C routine how does LDAP Server retrieves it during the bind operation? I would really appreciate if there is any related documentation available.
Maybe you should read about the Password Modification extended operation ....
IMHO, you shouldn't be hashing passwords on the client-side, it is much better to let the DS hash the password in the format it is configured for (so you know it will actually be able to use the password, and allowing you to use newer/stronger hashes as and when the DS supports them, without coding the support yourself).
I agree that DS should hash the password, however I am not sure what password modification extended operation is, is it ldappasswd utility or does openLDAP offer some kind of API to do so? Also can how can I configure hashing in SLAPD?
Basically my C program will call ldap_add_ext_s() operation, while doing that how can I make sure that userPassword attribute be treated differently (hashed)? I was looking into password policy and not sure if it suffice my needs.
Regards, Buchan
sim123 wrote:
I am not sure what password modification extended operation is
It's a separate LDAP extended operation working on a already existing entry not a normal modify operation (see RFC 3062).
is it ldappasswd utility
Yes.
or does openLDAP offer some kind of API to do so?
See functions ldap_passwd/ldap_passwd_s in OpenLDAP's C API.
Also can how can I configure hashing in SLAPD?
You already posted the relevant FAQ entry.
Watch out for password-hash in man-page slapd.conf.
Ciao, Michael.
2011/9/14 Michael Ströder michael@stroeder.com
sim123 wrote:
I am not sure what password modification extended operation is
It's a separate LDAP extended operation working on a already existing entry not a normal modify operation (see RFC 3062).
So if I add a user from C API, it should add blank in userPassowrd attribute and then I modify userPaswed, is that correct? Can I do, Add and modify in same modify request to guarantee the atomicity of operation? Would ldap still treat it as extended operation?
is it ldappasswd utility
Yes.
or does openLDAP offer some kind of API to do so?
See functions ldap_passwd/ldap_passwd_s in OpenLDAP's C API.
Could not find these function in man page or google search, can you please point me to a reference? Thanks for the help.
Also can how can I configure hashing in SLAPD?
You already posted the relevant FAQ entry.
Watch out for password-hash in man-page slapd.conf.
Thanks for help and support, I really appreciate it.
Ciao, Michael.
2011/9/14 sim123 Sim3159@gmail.com
2011/9/14 Michael Ströder michael@stroeder.com
sim123 wrote:
I am not sure what password modification extended operation is
It's a separate LDAP extended operation working on a already existing entry not a normal modify operation (see RFC 3062).
So if I add a user from C API, it should add blank in userPassowrd attribute and then I modify userPaswed, is that correct? Can I do, Add and modify in same modify request to guarantee the atomicity of operation? Would ldap still treat it as extended operation?
is it ldappasswd utility
Yes.
or does openLDAP offer some kind of API to do so?
See functions ldap_passwd/ldap_passwd_s in OpenLDAP's C API.
Could not find these function in man page or google search, can you please point me to a reference? Thanks for the help.
Also can how can I configure hashing in SLAPD?
You already posted the relevant FAQ entry.
Watch out for password-hash in man-page slapd.conf.
Thanks for help and support, I really appreciate it.
Ciao, Michael.
I was also wondering about using ppolicy, I read that if I use ppolicy_has_cleartext then server will hash clear text password even for modify operations as opposed to password modify extended operations, so which one is better?
Thanks
sim123 wrote:
2011/9/14 Michael Ströder <michael@stroeder.com mailto:michael@stroeder.com>
sim123 wrote: > I am not sure what password modification extended operation is It's a separate LDAP extended operation working on a already existing entry not a normal modify operation (see RFC 3062).So if I add a user from C API, it should add blank in userPassowrd attribute and then I modify userPaswed, is that correct? Can I do, Add and modify in same modify request to guarantee the atomicity of operation? Would ldap still treat it as extended operation?
Please read RFC 4511 first and then RFC 3062 to understand the different operations. Otherwise coding that will be a mess. Maybe you're more familiar with a scripting language for which there's also a decent LDAP module.
> or does openLDAP offer some kind of API to do so? See functions ldap_passwd/ldap_passwd_s in OpenLDAP's C API.Could not find these function in man page or google search, can you please point me to a reference? Thanks for the help.
See include/ldap.h
Ciao, Michael.
openldap-technical@openldap.org
-
Buchan Milne -
Michael Ströder -
sim123 -
Simone Piccardi