Hi people,
I am using ubuntu and phpldapadmin to manage openldap.
I have here a big issue: when using phpldapadmin/openldap, all the times there is (for each user/entry) a field with
cleartextPassword: <cleartextpassword> (this is seen in slapcat output)
What I want is to put in place a mechanism where there is no plain text field with the password in clear in each entry of openldap.
I have read about ppolicy overlay, slappasswd and so on but so far I was not able to figure out how to avoid this annoying clear text password available when I do a slapcat (as root of course)
Does anybody had such an issue ?
Any ideas or links to point for a solution?
Another question: is it possible that this clear text password is somehow needed for the correct operation of openldap?
Thanks a lot for your time and (I hope) help.
Kind regards,
Manuel - Lisbon PT
This is what I got for the user mafonso (me) when doing a slapcat > output : (as can be seen there is the field cleartextPassword: with pass in clear text)
dn: cn=mafonso,ou=***,dc=***,dc=***,dc=***,dc=pt objectClass: ****Person objectClass: mailAccount objectClass: sambaSamAccount objectClass: posixAccount objectClass: top givenName: Manuel sn: Afonso displayName: Manuel Afonso cn: mafonso mailacceptinguser: 1 maildrop: mafonso@***.pt intranetRole: cn=**,ou=**,ou=**,dc=**,dc=**,dc=**,dc=pt ... portalRole: *** ... gidNumber: 516 sambaSID: *** uidNumber: 1399 uid: mafonso homeDirectory: /home/mafonso intranetStatus: U sambaAcctFlags: [UX] loginShell: /bin/false mailacceptinggeneralid: mafonso@**** mailacceptinggeneralid: ***@**.**.**.pt userPassword:: e1N.... cleartextPassword: <cleartextpassword> sambaNTPassword: D6... sambaLMPassword: 45...
Manuel Afonso wrote:
I have here a big issue: when using phpldapadmin/openldap, all the times there is (for each user/entry) a field with
cleartextPassword: <cleartextpassword> (this is seen in slapcat output)
If you don't want your passwords to be stored in clear then simply don't store it in clear.
Find out why it's stored there by which component: Which schema is this? Does phpldapadmin create this attribute or another application? Is the clear-text password actually used (e.g. for some challenge-response)?
The standard mech to store passwords for normal LDAP simple binds is to put a salted hash of the password in attribute 'userPassword'.
What I want is to put in place a mechanism where there is no plain text field with the password in clear in each entry of openldap.
There is no built-in mechanism in OpenLDAP for reversible encryption of specific attributes.
Ciao, Michael.
Please don't use phpldapadmin. It is painful trying to help someone who is operating with such a handicap.
Here's what I did to encrypt passwords (with slapd.conf; if you are using OLC you will need to olc-ize this):
moduleload ppolicy.la password-hash {CRYPT} password-crypt-salt-format "$6$%.12s" overlay ppolicy ppolicy_default "cn=default_pwpolicy,dc=about,dc=com" ppolicy_hash_cleartext
-----Original Message----- From: openldap-technical [mailto:openldap-technical-bounces@openldap.org] On Behalf Of Manuel Afonso Sent: Thursday, August 20, 2015 12:44 PM To: openldap-technical@openldap.org Subject: ClearText Passwords in slapcat: please provide some inputs
Hi people,
I am using ubuntu and phpldapadmin to manage openldap.
I have here a big issue: when using phpldapadmin/openldap, all the times there is (for each user/entry) a field with
cleartextPassword: <cleartextpassword> (this is seen in slapcat output)
What I want is to put in place a mechanism where there is no plain text field with the password in clear in each entry of openldap.
I have read about ppolicy overlay, slappasswd and so on but so far I was not able to figure out how to avoid this annoying clear text password available when I do a slapcat (as root of course)
Does anybody had such an issue ?
Any ideas or links to point for a solution?
Another question: is it possible that this clear text password is somehow needed for the correct operation of openldap?
Thanks a lot for your time and (I hope) help.
Kind regards,
Manuel - Lisbon PT
This is what I got for the user mafonso (me) when doing a slapcat > output : (as can be seen there is the field cleartextPassword: with pass in clear text)
dn: cn=mafonso,ou=***,dc=***,dc=***,dc=***,dc=pt objectClass: ****Person objectClass: mailAccount objectClass: sambaSamAccount objectClass: posixAccount objectClass: top givenName: Manuel sn: Afonso displayName: Manuel Afonso cn: mafonso mailacceptinguser: 1 maildrop: mafonso@***.pt intranetRole: cn=**,ou=**,ou=**,dc=**,dc=**,dc=**,dc=pt ... portalRole: *** ... gidNumber: 516 sambaSID: *** uidNumber: 1399 uid: mafonso homeDirectory: /home/mafonso intranetStatus: U sambaAcctFlags: [UX] loginShell: /bin/false mailacceptinggeneralid: mafonso@**** mailacceptinggeneralid: ***@**.**.**.pt userPassword:: e1N.... cleartextPassword: <cleartextpassword> sambaNTPassword: D6... sambaLMPassword: 45...
openldap-technical@openldap.org
-
Albert Braden -
Manuel Afonso -
Michael Ströder