[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Salted passwords, further clarification please

To: m h <sesquile@gmail.com>
Subject: Re: Salted passwords, further clarification please
From: Michael Ströder <michael@stroeder.com>
Date: Fri, 26 Jan 2007 10:38:08 +0100
Cc: openldap-software@openldap.org
In-reply-to: <e36b84ee0701241050s55bfc4f9m61e071159a82cd2f@mail.gmail.com>
References: <e36b84ee0701241050s55bfc4f9m61e071159a82cd2f@mail.gmail.com>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.2pre) Gecko/20070111 SeaMonkey/1.1

m h wrote:
> 
> I'm trying to write a script to change the rootpw value in slapd.conf.

Why? Parsing slapd.conf yourself is error-prone. If you really need the
rootdn I would disable rootpw in slapd.conf and add a real entry for
rootdn for which you can set the userPassword attribute.

> My question has to do with the random salt.  How do I verify the
> existing password?

>  Going through slappasswd doesn't appear to work,
> since it uses a random salt each time.

Yes, slappasswd is for generating not checking password values.

> Furthermore, how does the server know what the salt is? 

Since you know how long the particular hash value is everything else is
the salt.

> (I read through the FAQ on the website and it says the salt is added
> to the password before encryption).

The salt is randomly chosen and hashed (not encrypted) together with the
password.

Anyway I'd recommend not to mess with slapd.conf at all (see above).

Ciao, Michael.

Follow-Ups:
- Re: Salted passwords, further clarification please
  - From: Matthew Backes <mbackes@symas.com>

References:
- Salted passwords, further clarification please
  - From: "m h" <sesquile@gmail.com>

Prev by Date: Can't add data to new ou
Next by Date: sessionlog vs syncprov_sessionlog / missing delete phase
Index(es):
- Chronological
- Thread