[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Crypt Passwords?

To: "'Jonathan R. Wilner'" <jrw@allapartments.com>
Subject: RE: Crypt Passwords?
From: "Luke Howard" <lukeh@xedoc.com.au>
Date: Tue, 29 Sep 1998 08:33:59 +1000
Cc: <ldap-nis-interest@ufo.com.au>, <openldap-general@openldap.org>
Importance: Normal
In-reply-to: <Pine.GSO.4.02.9809281121070.17582-100000@wissahickon.sf.allapartments.com>

>How does one go about creating & storing the encrypted passwords in the
>database?

If you already have crypted passwords (say, from NIS), you can use
migrate_passwd.pl, distributed as part of:

http://www.xedoc.com.au/~lukeh/ldap/MigrationTools.tar.gz

>Also, what tools do people generally use to let their users change their
>own passwords?

The ldappasswd tool that ships with ypldapd supports changing crypt
passwords both with OpenLDAP and Netscape LDAP servers. pam_ldap-12 (just
uploaded to http://www.xedoc.com.au/~lukeh/ldap/pam_ldap.tar.gz) also
supports client-side hash generation.

The difference is that, generally, Netscape prefer to generate the hash on
the server. See an earlier email in this discussion list regarding this.

To enable client side hash generation in pam_ldap, add the following to
/etc/ldap.conf:

pam_crypt local

Now, with Netscape's Directory Server, I thought it was mandatory to send
the password unhashed. It turns out that hashing on the client seems to work
if your server-side hash mechanism is crypt and you're not using the NT
Synchronziation Service (which requires the unhashed password). This
provides a semblance of security when changing passwords, but it would be
better for the password changing program to use SSL/TLS.



-- Luke

References:
- FAQ: Crypt Passwords?
  - From: "Jonathan R. Wilner" <jrw@allapartments.com>

Prev by Date: Re: can anyone verify that the sample quick-start works
Next by Date: Re: can anyone verify that the sample quick-start works
Index(es):
- Chronological
- Thread