Re: Passwords don't appear to hash ???

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 05:21 PM 9/30/2004, Rob Tanner wrote:
>While using ldappasswd the immediate problem, it leads me to another serious
>issue.  I am in the process of moving from a Netscape4 server to OpenLdap.
>Passwords are maintained via a webapp written in Java.  Using the JNDI for
>LDAP access, I merely send the cleartext password to the LDAP server,

slapd(8) doesn't muck with values of user application attributes,
it preserves the value provided by the client.

>and it takes care of the hashing.  Will I now have to do the
>{SHA} hash within the application before sending the password
>to OpenLdap?

The standard track approach would be to extend the client
to update the password via the LDAP Password Modify Extended
Operation.  How to implement LDAP extended operations
using JNDI is a topic for a forum about JNDI.

>And if so, do I or do I not have to preface the hash with {SHA}?

Use of LDAP Password Modify Extended Operation frees the client
from such details.

You could, of course, hash the password yourself.  The
FAQ has some useful information on how to do that.  But
I don't recommend doing that (I recommend using the
standard track approach).

You could also extend slapd(8) (using various plugin APIs)
to support whatever hashing you want.  But I don't recommend
doing this (I recommend using the standard track approach).

Kurt