We want to ensure that the userPassword field is secure. Currently, we
are
doing this via two methods:
1. All connections must be over SSL.
2. When we create a password we supply it as a hash.
When creating an account entry in LDAP, our LDAP directory management
tool
(which only speaks LDAP and does not use any proprietary OpenLDAP tools
like
slapadd) creates a hash like so:
{MD5}3kl4jdlkjfdflkdj
We then insert that along with our other entries:
dn: uid=abc,ou=company
objectClass: ...
objectClass: ...
uid=abc
userPassword: {MD5}3kl4jdlkjfdflkdj
Can we use the Password-hash function so that our LDAP management
application can just submit the userPassword in plaintext (communication
is
of course over SSL though) so that OpenLDAP will hash it for us?
1. We create an entry in the app.
2. The app sends:
dn: uid=abc,ou=company
modify: add
objectClass: ...
objectClass: ...
uid=abc
userPassword: mypassword
3. slapd gets the new entry and then automatically hashes userPassword
into
{MD5}3kl4jdlkjfdflkdj.
4. slapd stores the record, including the now hashed userPassword.
I was playing with ldapadmin and noticed that it allows you to specify
one
of several hashing types. If I set Password-hash, can I override this? I
assume I can by just supplying {TYPE}... like so:
userPassword: {MD5}3kl4jdlkjfdflkdj
So will slapd only honor Password-hash if I do plaintext?
userPassword: mypassword