[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: disable password hash



I haven't looked too closely at this, but I should mention that I've been
planning to add support for the Microsoft UnicodePwd syntax to slapd. (All
it has to do is transform UTF8 -> UCS2 and enclose in double-quotes, pretty
simple.) The intent is to allow a password set in OpenLDAP to be replicated
to AD transparently...

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

> -----Original Message-----
> From: kervin@blueprint-tech.com [mailto:kervin@blueprint-tech.com]
> Sent: Wednesday, May 22, 2002 8:49 PM
> To: hyc@highlandsun.com
> Cc: openldap-devel@openldap.org
> Subject: RE: disable password hash
>
>
> I'm a little confused about cleartext password use in slapd.  This patch
> seems to be what I need to get things to work.  Am I mistaken?
> The patch causes {CLEARTEXT} scheme to be treated just as the
> other schemes.
>
> This is needed in cases where we want the back-end to handle the cleartext
> passwords.  As in a perl module I am writing to add/modify Win2k users.
> --Kervin
>
> > Looks like a bug, definitely. Should probably use the BER_BVC macro in
> > there anyway.
> >
> >  -- Howard Chu
> >  Chief Architect, Symas Corp.       Director, Highland Sun
> >  http://www.symas.com               http://highlandsun.com/hyc
> >  Symas: Premier OpenSource Development and Support
> >
> >> -----Original Message-----
> >> From: kervin@blueprint-tech.com [mailto:kervin@blueprint-tech.com]
> >> Sent: Wednesday, May 22, 2002 6:48 PM
> >> To: hyc@highlandsun.com
> >> Cc: kervin@blueprint-tech.com; openldap-software@OpenLDAP.org
> >> Subject: RE: disable password hash
> >>
> >>
> >> Hi,
> >>
> >> looked into it.  'password-hash {CLEARTEXT}' fails and I have '#define
> >> SLAPD_CLEARTEXT 1' set I'm sure.
> >> I think the cleartext schema is always ingored since in
> >> libries/libutil/passwd.c, in get_schemes()
> >> 	for( i=0; pw_schemes[i].name.bv_val; i++) {
> >> 		if( pw_schemes[i].name.bv_len == 0 ) continue;
> >>
> >> 		if( strncasecmp(scheme, pw_schemes[i].name.bv_val,
> >> 			pw_schemes[i].name.bv_len) == 0 )
> >> 		{
> >> 			return &pw_schemes[i];
> >> 		}
> >> 	}
> >>
> >> 	return NULL;
> >>
> >>
> >> but cleartext is defined as ...
> >>
> >> #ifdef SLAPD_CLEARTEXT
> >> 	/* psuedo scheme */
> >> 	{ {0, "{CLEARTEXT}"}, NULL, NULL },
> >> #endif
> >>
> >>
> >> cleartext's name.bv_len is *always* zero, therefore fails.
> >> Shouldn't this be
> >>
> >>
> >> #ifdef SLAPD_CLEARTEXT
> >> 	/* psuedo scheme */
> >> 	{ {sizeof("{CLEARTEXT}")-1, "{CLEARTEXT}"}, NULL, NULL },
> >> #endif
> >>
> >> like the others?
> >>
> >> --Kervin
> >>
> >>
> >> >> -----Original Message-----
> >> >> From: owner-openldap-software@OpenLDAP.org
> >> >> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of
> >> >> kervin@blueprint-tech.com
> >> >
> >> >> I'd like to disable password hashing in slapd.  Does anyone know
> >> >> have to do this?
> >> >
> >> > Yes, but (seems to be the week for this) - why?
> >> >
> >> >> I've seen the "password-hash" slapd.conf option in the slapd.conf
> >> >> man page, but it does not allow me to set the hash function to
> >> >> "NONE", which is basically what I want to do.
> >> >>
> >> >> Any ideas?
> >> >
> >> > Use the Source, luke...
> >> >>
> >> >> --Kervin
> >> >>
> >> >
> >> > Use the {CLEARTEXT} scheme. slapd must have been configured with
> >> > --enable-cleartext for this to work.
> >> >
> >> >  -- Howard Chu
> >> >  Chief Architect, Symas Corp.       Director, Highland Sun
> >> >  http://www.symas.com               http://highlandsun.com/hyc
> >> >  Symas: Premier OpenSource Development and Support
>
>
>