Re: LDAP password management

[Dan White <dwhite@olp.net>]

On 08/22/12 19:43 +0300, Adrian Paleacu wrote:
> Hi Dan,
>
> Thank you for quick response. So is not possible to inform LDAP service
> that an already hashed password is passed trough.

You can accomplish hashing of your password, over the network, by binding
with SASL. Depending on the mechanism you use, doing so will require you to
store your passwords in cleartext on the server. See:

http://www.cyrussasl.org/docs/cyrus-sasl/2.1.25/mechanisms.php

OTP and SRP do not require storing your password in cleartext.

In any case, if your desire is to secure the transmission of your password,
the use of TLS is recommended.

If you're asking how to handle the case where you're transitioning to an
ldap based authentication scheme from a hashed password store (such as
/etc/shadow), see the manpage for crypt(3), and prepend your hashes with
{CRYPT} before storing them within slapd.

> On Wed, Aug 22, 2012 at 6:06 PM, Dan White <dwhite@olp.net> wrote:
>
> > On 08/22/12 17:48 +0300, Adrian Paleacu wrote:
> >
> > > Hi everyone,
> > >
> > > I have a binding question regarding the password. Is possible to send a
> > > hashed password to LDAP system. My passwords are hashed and I don't have a
> > > way to send it as plain text.
> >
> > See Section 14.4 of the OpenLDAP Administrator's guide.
> >
> > If your passwords are stored on your server in certain hashed forms, then
> > slapd will expect you to transmit a cleartext password to be hashed and
> > locally compared with the stored password value.

--
Dan White