[Date Prev][Date Next]
Re: Applications, authentication, and hashing methods..
> This is a general LDAP question, and not specific to OpenLDAP, but I
> have a feeling I will get some good answers here. :)
> Let's say I have a generic set of applications X, Y, and Z. I want users
> of these applications to auth using information in LDAP. (We are indeed
> running OpenLDAP.) In general I can do this by trying to bind as that
> user. So if userPassword is in crypt form I need to crypt() my password
> and then submit it, and ditto for SHA1, when binding. For plaintext I
> just send the password in plaintext. This assumes that a user will have
> the same password for all applications.
No. You DON'T have to crypt anything in your application. Password is sent
to the server in plain and the server crypts it with the correct algorithm
before checking against the stored password. If you need to rise security
you can set up TLS.
> There is a possibility that I will need to support some applications
> that needs a different password for my users.
> I'm wondering how to best support this?
> If the application is open source I could change the code so that it
> compared the user's entered password against something in their entry.
> (Score one for open source.)
> If the application is closed and just tries to do a bind is there a
> solution? I don't see one.
> Also, speaking of passwords, I also have the potential issue that an
> application doesn't support the form of hashing that I use for
> userPassword when a user sets her password. Let's say that I hash a
> password when putting it into userPassword using SHA1. That means I have
> to force all of my applications to first hash using SHA1 and then do a
> bind. How can I support applications that use different methods to hash
Luca Scamoni - e-mail: email@example.com
SysNet snc - Via Dossi, 8 - 27100 Pavia Italy
IT Specialist - mobile: +393471014425