[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: More on my password problem



On Tue, Jul 29, 2003 at 11:29:24AM -0300, luiz@pucrs.br wrote:
> The detail is that if I don´t use "password-hash {CRYPT}" (previously I
> used {MD5}), when the user changes his password, the new password is not
> recognized. With {CRYPT} I didn´t have more problems. "proxyagent" is for
> my SUN profile.

This depends on how your /etc/ldap.conf (from pam_ldap) is configured.
The pam_password directive basically controls who does the hashing, the
client or the server. If it's set to "exop", then openldap will do the
hashing using whatever algorithm it is configured to use. This shouldn't
bother the client.

You see, there are two ways the PADL tools can authenticate you: one is
to do an anonymous bind (or use bind_dn in ldap.conf), retrieve the
userPassword attribute, hash your password and compare it with the value
of this attribute. That is, the client does all the work.

The other way (the best one, in my opinion) is to let the server do the
work. The client just binds to the openldap server with the password the
user supplied. No hashing involved, no trouble with different implementations
of these algorithms, etc. The server will either authenticate you or it won't,
which means the password is correct or isn't. And if you use the exop option
with openldap, you also do not have to worry about hashes, since the server
will hash the password and store it. The other way around, the client would
have to hash the password and manually update the userPassword attribute.