Re: MD5 password issue

[Hallvard B Furuseth <h.b.furuseth@usit.uio.no>]

Quanah Gibson-Mount writes:
>--On Wednesday, July 27, 2005 11:23 AM -0400 Alejandro Acosta
><alejandro.acosta@comsat.com.ve> wrote:
>> The strange thing is that slapcat brings something like:
>>
>> -- cut here --
>> cn: md5user
>> description: MD5USER
>> userPassword:: e01ENX1jODFlNzI4ZDlkNGMyZjYzNmYwNjdmODljYzE0ODYyYw==
>> structuralObjectClass: organizationalRole
>> -- cut here --
>>
>> Notice that the userPassword is pretty different..,  ldap hashed in
>> someway  the original password given in the ldif file.

In LDIF format, which is output by slapcat and ldapsearch, '::'
after an attribute name means the value is base64-encoded.

> No.  It Mime-Base 64 encoded the attribute value when it was written
> into the LDAP server, which is a standard thing to do in all LDAP
> servers for particular data sets.

No.  It is OpenLDAP's LDIF output routine which uses the base64 variant
of LDIF format to output userPassword.  That way, if the user outputs
his password unintentionally and it is not in {crypt/md5/whatever}
format, at least the password won't be in cleartext on the screen for
anyone nearby to read.

How the value is stored internally in the server is irrelevant.
(And the value is not passed base64-encoded over the protocol,
if anyone wonders.)

-- 
Hallvard
For sale: Parachute. Never opened, used once, slightly stained.