Re: secure passwords

[Buchan Milne <bgmilne@staff.telkomsa.net>]

On Tuesday, 13 September 2011 23:01:23 sim123 wrote:
> Hi All,
> 
> I am trying to store SSHA passwords in openldap instead of plain text via C
> code and wondering how this works. I tried exploring archives, FAQ etc and
> what I gathered from there is openLDAP has built in support for various
> password encryption algorithm however it does not have any APIs for
> generating passwords

Are you sure?

> and password-has directive works with ldpapassword
> utility only.

Really? It seems to work fine from pam_ldap (using 'pam_password exop'), 
Net::LDAP and various other tools.

> http://www.openldap.org/faq/data/cache/906.html
> 
> If I use some tool like Apache DS and modify my userPassword attribute to
> be SSHA instead of plain text it all works. I want to know how this works
> under the hood? Who is responsible for generating hashed passwords? If I
> generate it using some C routine how does LDAP Server retrieves it during
> the bind operation? I would really appreciate if there is any related
> documentation available.

Maybe you should read about the Password Modification extended operation ....

IMHO, you shouldn't be hashing passwords on the client-side, it is much better 
to let the DS hash the password in the format it is configured for (so you 
know it will actually be able to use the password, and allowing you to use 
newer/stronger hashes as and when the DS supports them, without coding the 
support yourself).

Regards,
Buchan