[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Bind using a user other than organizationalRole user

Marcelo de Moraes Serpa wrote:
> Hi Dieter, thanks for the reply.
> Yeah, the folks @ #openladp were kind enough to help me to debug this
> issue. It turned out that it was a simple detail (as mostly always :))
> -- When I created the ldif, I've put the password in clear text,
> however, I didn't do anything to tell openldap that it was actually
> cleartext nor I knew I had to. The whole time I though it had to do with
> ACLs (OpenLDAP denying read-access to userPassword), but the problem was
> that OpenLDAP was trying to authenticate using SHA-1, and the password
> was stored as clear text.
> The solution? Store the password as a SHA-1 hash. Nobody would want to
> store password as clear-text anyway.

There's nothing wrong with storing a clear-text password like

userPassword: secret_12345

in the directory entry. In fact you have to when e.g. using SASL/DIGEST-MD5
bind with in-directory passwords.

When processing a simple bind slapd looks whether a password is stored in
hashed form by looking at a magic prefix like {SSHA}. If that prefix is not
there it is assumed that the password is stored in clear and this gets compared.

> So, issue solved!

Hmm, I think you mixed up something.

Ciao, Michael.