Re: Newbie question: setting userPassword field

[John Kristian <kristian@netscape.com>]

Dan wrote:

> I wish for [the UserPassword] field to be stored and retrieved in an
> encrypted format.

You mean hashed, with {crypt} or {SHA} (for example), I assume.

> ... can I send the server an unencrypted password, then automatically have it
> encrypt it for storage?

Netscape Directory Server will do this.  OpenLDAP would not, last time
I checked.  But perhaps this feature has been added recently.  Anyone?

I recommend enhancing the software that sets the password, to compute and send
the hash (not the cleartext) to the LDAP server.  This is compatible with
OpenLDAP, and it improves security (because it avoids sending the cleartext
password via LDAP, where enemies might monitor it).  The difficult part of the
software is publicly available.  For {SHA}, see
<http://developer.netscape.com/tech/overview/index.html?content=/docs/technote/ldap/pass_sha.html>
under "Software" (about half way down the page).

> Will subsequent authentication attempts automatically correctly compare
> against the encrypted password?

Yes; if the userPassword attribute value contains a hash that the LDAP server
supports, the LDAP server will use it to handle LDAP Bind requests, just as you
might reasonably expect.

LDAP clients are a separate issue.  Applications that read the userPassword
attribute (via LDAP Search), and use its values in their own authentication
algorithms must have software to support hashed passwords.  I'm not sure
whether Apache does this; I suspect it does.  I have no idea whether it
supports hashed passwords.  It should, IMHO.