[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: more questions regarding password hashes



Brandon McCombs writes:
> The question is how does a person choose to use a salt or not use a
> salt if they have no control over what the salt is?

If he uses the Password Modify extended operation, slapd will hash the
password for him, with the hash method specified by password-hash in
slapd.conf.

If he wants to control exactly how some password is hashed, he can
generate the hashed password himself (with the appropriate {hashmethod}
prefix) and use the LDAP Add or Modify operation to store it in
attribute userPassword.  As the slapd.conf(5) man page says (under
password-hash).

> What determines whether a salt is applied?

For Password Modify: A salt is generated if the specified method needs a
salt.

> If a salt is specified on the conf file

*a* salt?  With the password-crypt-salt-format keyword?  You do not
intend to use a salted method only to reduce security by using the same
salt for everyone, I hope.

> then it applies to everyone
> and no one can choose *not* to use it, is that correct?

Not if they use Password Modify.  If they use Modify, the can use
something else.

-- 
Regards,
Hallvard