TLS / secure ldap transactions, userPassword hashing questions

[Bill Johnstone <beejstone3@yahoo.com>]

Like many, I'm planning to use OpenLDAP for user authentication and
NSS.  However, after reading the documentation for OpenLDAP, I'm still
confused/uncertain on a couple of things.

1. I want to make sure all ldap sessions occur via TLS, enforced by
slapd, and since ldaps:// is considered deprecated (
http://www.openldap.org/faq/data/cache/605.html ), I'd like to make
sure my understanding of how to do this through slapd.conf is correct.

Since I won't be using SASL, I presume this means the authentication
mode is "simple"?  If so, what is the difference between using:

require strong

and

disallow bind_simple_unprotected

?

Also, I've noticed sometimes keywords are mentioned in the
Administrator's guide that are not in the slapd.conf manpage, such as
the aforementioned "bind_simple_unprotected" .  Is there a similar
require keyword that specifically refers to TLS (rather than just
"strong", for which both SASL and TLS qualify)?

2. In an earlier message on the list (
http://www.openldap.org/lists/openldap-software/200502/msg00065.html ),
it was asked if there was a way to specify a "stronger" hash, such as
SHA-256 for the userPassword.  The response directed the inquirer to
read the slapd.conf manpage's password-hash section.  Looking there, I
see no mention of "stronger" hashes than standard SHA (or SSHA) nor if
it is possible to use an external module which supplies the hashing
code.  Ordinarily I would assume that since nothing else was said in
the manpage that unless I were to modify the slapd code, this would be
impossible.  However, given the slapd.conf manpage is not canonical,
can someone actually tell me whether or not it is possible?

Thanks,

Bill

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com