[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re[2]: userpassword formats

What hash function does OpenLDAP use to compute the hash of userPassword? Is it
a LDAP standard?

"Kurt D. Zeilenga" <Kurt@OpenLDAP.org> on 2000/10/13 09:13:40 AM
To: mcoughlan@gothambroadband.com
cc: openldap-software@OpenLDAP.org (bcc: Kalman KK Wan/ITSD/HKSARG)
Subject: Re: userpassword formats

At 05:11 PM 10/12/00 -0400, Mike Coughlan wrote:
>I am looking for information about to set the userpassword field to
>authenticate LDAP from Netscape and Outlook.

Most LDAP clients (include the Netscape and Outlook clients)
use simple bind.  Simple bind provides not security protection itself.
Unless the confidentiality is protected provided by a lower level,
such as TLS (SSL) or IPSEC, the password is transmitted in the

>Does anyone know if Netscape and Outlook require secure hash algorithm
>format, clear-text or MD5 hash format?

Clients generally don't care.  The client send the actual password
and the server computes the hash of the password and compares it
to the saved hash.  If the hashes match, the passwords are assumed
to match, and the authentication is successful.

The hashing of the stored password does not add security to the
simple bind operation.  Hashing the password just makes the value
not immediately usable if read from the directory.  However, the
value is still subject to dictionary and other acts.  As such,
it's generally advised to protect hashed password values as if
they were the actual clear text password.  Appropriate access
controls are a must.  See the admin guide (if using 2.0) or the
FAQ (if using 1.2) for details on setting access controls.  Archives
of this list are also quite useful.

If you want a more secure solution, I suggest using SASL/GSSAPI,
SASL/DIGEST-MD5, SASL/EXTERNAL (TLS), or other other strong
authentication mechanism.

>I believe Outlook wants secure hash format.  Does anyone know the easiest
>way to create and set this password?