[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: userPasswd Attribute



Net Warrior writes:
> Hi there guys, what I'm going to ask may be is insane, and I'm
> awaiting the storm to come :)

Yes, it is:-)

> I know that there is a directive/option password-hash that allows me to
> store the password in plain taxt for example or whatever I want.

Not exactly.  If you modify a password with the Password Modify LDAP
operation, the server will hash it before storing it.  See the
password-hash directive in the slapd.conf(5) manpage for how, and which
hash scemes are available.  The one you ask for is {CLEARTEXT}.

OTOH when you store a userPassword with the regular LDAP Add or Modify
operations, it is stored exactly as you provided it.  E.g. in cleartext
if you sent it it cleartext.  Or as userPassword: {hash-scheme}hashvalue
if you send that.

> As far as I know, this only apllies to the server,

Looks like you mean the master server.

> If I set up a replication server, is there a way to tell the
> replication server to store in difefferent format , for exmaple, to
> store them in plain text?

Turning a hashed password into a cleartext password is known as cracking
the password.  If a server (master, replication server or client) can do
that, so can an attacker.

On the other hand if the master server has the cleartext password and
you want a slave server to have a hashed password, I suppose an overlay
in the slave could handle that.  Intercept modify/add operations and act
like Password Modify.  I seem to remember someone had written such an
overlay, but I don't remember where it is.

-- 
Hallvard