[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Using Password-hash to create secure passwords..



I asked a similar question a while back and the answer is that it does not do
so by design.  Look in the archives for September of 2004 for the entire
thread. The subject was "Passwords don't appear to hash ???".

(This list is archived, isn't it?)

-- Rob

--On Thursday, January 27, 2005 04:14:25 PM -0600 fuser9bb@hotpop.com wrote:

> We want to ensure that the userPassword field is secure. Currently, we are
> doing this via two methods:
> 
> 1. All connections must be over SSL.
> 2. When we create a password we supply it as a hash.
> 
> When creating an account entry in LDAP, our LDAP directory management tool
> (which only speaks LDAP and does not use any proprietary OpenLDAP tools like
> slapadd) creates a hash like so:
> 
> {MD5}3kl4jdlkjfdflkdj
> 
> We then insert that along with our other entries:
> 
> dn: uid=abc,ou=company
> objectClass: ...
> objectClass: ...
> uid=abc
> userPassword: {MD5}3kl4jdlkjfdflkdj
> 
> Can we use the Password-hash function so that our LDAP management
> application can just submit the userPassword in plaintext (communication is
> of course over SSL though) so that OpenLDAP will hash it for us?
> 
> 1. We create an entry in the app.
> 
> 2. The app sends:
> 
> dn: uid=abc,ou=company
> modify: add
> objectClass: ...
> objectClass: ...
> uid=abc
> userPassword: mypassword
> 
> 3. slapd gets the new entry and then automatically hashes userPassword into
> {MD5}3kl4jdlkjfdflkdj.
> 
> 4. slapd stores the record, including the now hashed userPassword.
> 
> I was playing with ldapadmin and noticed that it allows you to specify one
> of several hashing types. If I set Password-hash, can I override this? I
> assume I can by just supplying {TYPE}... like so:
> 
> userPassword: {MD5}3kl4jdlkjfdflkdj
> 
> So will slapd only honor Password-hash if I do plaintext?
> 
> userPassword: mypassword
> 
> 



-- 
Rob Tanner
UNIX Services Manager
Linfield College, McMinnville OR