[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: How can I get OpenLDAP to hash passwords as crypt?

To: "'Kervin L. Pierre'" <kervin@blueprint-tech.com>, openldap-software@OpenLDAP.org
Subject: RE: How can I get OpenLDAP to hash passwords as crypt?
From: Jeff Costlow <j.costlow@f5.com>
Date: Wed, 10 Jul 2002 13:48:59 -0700

Title: RE: How can I get OpenLDAP to hash passwords as crypt?

ldapadd will not pay any attention to the "password-hash" config variable. The tool just adds whatever is in the LDIF file.

The only tool that will pay attention to the "password-hash" is ldappasswd, the former sends a password change extended operation with a cleartext password. The server is then responsible for crypt(3)ing the password and storing it. (slappasswd does the same thing only locally)

And the password-crypt-salt-format configuration variable is good because different operating systems have different versions of crypt(3). The traditional crypt uses 2 character salts and DES. Sometimes you will see salts that indicate to use an algorithm based on MD5 (this is _not_ the same as the {MD5} method built into slapd!), these look like:

$1$salt$cryptedstuff
Some *BSDs can use "extended DES", which have 4 characters of salt and look like:
_saltcryptedstuff

Using "password-crypt-salt-format" you can specify what the salt that is passed to crypt(3) will look like.
"%s"           (the default) will result in 2 character original DES crypt
"$1$%s"        will result in the MD5 based crypt(3)
"_%s"          will result in the "extended DES" that I mentioned above.

my slapd.conf contains:
password-hash {CRYPT}
password-crypt-salt-format "$1$%.8s"

-----Original Message-----
From: Kervin L. Pierre [mailto:kervin@blueprint-tech.com]
Sent: Wednesday, July 10, 2002 12:17 PM
To: openldap-software@OpenLDAP.org
Subject: How can I get OpenLDAP to hash passwords as crypt?

Hi,

I am trying to have OpenLDAP hash passwords using the crypt(3) format
before storing in the userpassword attribute, but with no luck. How is
this done?

I am using 2.1.2 and I have the "password-hash {CRYPT}" in my config file.
My ldapadds use the cleartext passwords, eg. "userpassword: secret", but
I'm guessing OpenLDAP will hash those before storing them? If not, how do
I do this?

I saw the config option "password-hash-salt", but I didn't understand the
explanation given. When would I need to set this? My OpenLDAP server is
running on a linux box, but the client are solaris 8/9 machines, so I'm
thinking the salt might be a factor?
Has anyone successfully done this?

thanks,
--Kervin

Prev by Date: Re: How can I get OpenLDAP to hash passwords as crypt?
Next by Date: openldap-2.1.2 doesn't start with ipv6
Index(es):
- Chronological
- Thread