[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: How can I get OpenLDAP to hash passwords as crypt?

Title: RE: How can I get OpenLDAP to hash passwords as crypt?

ldapadd will not pay any attention to the "password-hash" config variable.  The tool just adds whatever is in the LDIF file.

The only tool that will pay attention to the "password-hash" is ldappasswd, the former sends a password change extended operation with a cleartext password.  The server is then responsible for crypt(3)ing the password and storing it.  (slappasswd does the same thing only locally)

And the password-crypt-salt-format configuration variable is good because different operating systems have different versions of crypt(3).  The traditional crypt uses 2 character salts and DES.  Sometimes you will see salts that indicate to use an algorithm based on MD5  (this is _not_ the same as the {MD5} method built into slapd!), these look like:

Some *BSDs can use "extended DES", which have 4 characters of salt and look like:

Using "password-crypt-salt-format" you can specify what the salt that is passed to crypt(3) will look like.
"%s"           (the default) will result in 2 character original DES crypt
"$1$%s"        will result in the MD5 based crypt(3)
"_%s"          will result in the "extended DES" that I mentioned above.

my slapd.conf contains:
password-hash  {CRYPT}
password-crypt-salt-format "$1$%.8s"

-----Original Message-----
From: Kervin L. Pierre [mailto:kervin@blueprint-tech.com]
Sent: Wednesday, July 10, 2002 12:17 PM
To: openldap-software@OpenLDAP.org
Subject: How can I get OpenLDAP to hash passwords as crypt?


I am trying to have OpenLDAP hash passwords using the crypt(3) format
before storing in the userpassword attribute, but with no luck.  How is
this done?

I am using 2.1.2 and I have the "password-hash {CRYPT}" in my config file.
 My ldapadds use the cleartext passwords, eg. "userpassword: secret", but
I'm guessing OpenLDAP will hash those before storing them?  If not, how do
I do this?

I saw the config option "password-hash-salt", but I didn't understand the
explanation given.  When would I need to set this?  My OpenLDAP server is
running on a linux box, but the client are solaris 8/9 machines, so I'm
thinking the salt might be a factor?
Has anyone successfully done this?