[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: userPassword hash

To: Raphael Berghmans <rberghmans@arafox.com>
Subject: Re: userPassword hash
From: Tony Earnshaw <tonni@billy.demon.nl>
Date: 24 Nov 2002 22:57:28 +0100
Cc: openldap-software@OpenLDAP.org
In-reply-to: <002001c293f2$9466d0d0$70a2f4c3@rberghmans>
Organization:
References: <1037988537.29946.71.camel@tuttle.arafox.be> <1037994976.1240.28.camel@localhost> <002001c293f2$9466d0d0$70a2f4c3@rberghmans>

søn, 2002-11-24 kl. 20:49 skrev Raphael Berghmans:

> With your answer, I'm not able to understand the behaviour of OpenLDAP
> against the Password management

No, sorry about that, Raphaël. I found it all out for myself, and maybe
I'm wrong about soem things

> If you could tell me exactly how OpenLDAP works with the password, I think
> It will be more efficient for my general knowledge !

> My slapd.conf is configured with the option password-hash {crypt}.
> 
> 1:^

This is simply for the convenience of storing a password in a file to
which others might have access. You may encrypt it in {crypt}, {smd5} or
with any of the available algorithms (see below). You still have to send
the password in cleartext (i.e. secret and not {crypt}3VwQzjVdenYHE, but
the server will decrypt what it has in slapd.conf.

How do I know? I tried it out for myself :-)

> >  When I change a userPassword with ldappasswd, the value of the userPassword
> > attribute is correctly crypted.
> 
> 2:^

The utility ldappasswd itself seems to choose {smd5}. However, the DSA
password entries may be in cleartext, {crypt}, {SSHA}, {SMD5}, {MD5} or
{SHA}. slapd seems to know how to decrypt all of these and compare them
with client passwords encoded with these algorithms. They will be stored
as base64 binary values.

How do I know? I tried it out with GQ, John Hallam's PHP4 utility and
LDAPExplorer, as well as ldappasswd, ldapsearch, slapcat and mimencode.
Plus I read a lot of PHP blurb (like the 6 MB large single-page html
manual, which one can search.)

> >  But when I use PHP interface, I change
> > the password with the generic php method : ldap_modify(), I've to crypt
> > the password with a PHP method before sent the modification to the LDAP
> > server.

See the above. You can use any utility you like for password encryption,
Mcrypt and Mhash seem the most obvious, as long as you stick to the
algorithms that slapd can decode..

> This mail has been checked by exiscan.
> To be safe, please scan the mail attachements with your local virus scanner !

I am *so* pleased! Not about the mail having been scanned for viri, but
that your org. uses Exim :c)

Best,

Tony

-- 

Tony Earnshaw

When all's said and done ...
there's nothing left to say or do.

e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl

References:
- userPassword hash
  - From: Raphaël Berghmans <rberghmans@arafox.com>
- Re: userPassword hash
  - From: Tony Earnshaw <tonni@billy.demon.nl>
- Re: userPassword hash
  - From: "Raphael Berghmans" <rberghmans@arafox.com>

Prev by Date: Re: userPassword hash
Next by Date: ldap and PAM Authentication
Index(es):
- Chronological
- Thread