Rob Tanner wrote:
While using ldappasswd the immediate problem, it leads me to another seriousIf you use the Password Modify exop, you only need to send the cleartext password. If you use regular LDAPModify, then you must hash it and attach the prefix yourself.
issue. I am in the process of moving from a Netscape4 server to OpenLdap.
Passwords are maintained via a webapp written in Java. Using the JNDI for
LDAP access, I merely send the cleartext password to the LDAP server, and it
takes care of the hashing. Will I now have to do the {SHA} hash within the
application before sending the password to OpenLdap? And if so, do I or do I
not have to preface the hash with {SHA}?
Thanks, Rob
--On Thursday, September 30, 2004 04:55:04 PM -0700 "Kurt D. Zeilenga" <Kurt@OpenLDAP.org> wrote:
At 04:28 PM 9/30/2004, Rob Tanner wrote:
I have OpenLdap v.2.2.17 installed and when I add passwords encrytion does
not happen -- even when I added the line "password-hash {SSHA} to
slapd.conf. I even tried adding a record as an LDIF using the ldapadd
command, and prefacing the password text with {SSHA}, and still all that
appears to be stored is a BASE64 version of the cleartext password.
Ldapsearch returns clear text.
By design.
Is there some additional setting that I'm missing?
Use of the LDAP Password Modify Extended Operation, e.g., ldappasswd(1). See slapd.conf(5).
Kurt
-- -- Howard Chu Chief Architect, Symas Corp. Director, Highland Sun http://www.symas.com http://highlandsun.com/hyc Symas: Premier OpenSource Development and Support