[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: password-hashing scheme

On Friday 01 February 2008 17:18:28 Vinh.CTR.Hoang@faa.gov wrote:
> Hi,  I'm have trouble trying to get a ldap client be authenicated by the
> the ldap server.  I think
>  the problem is that I might have the hash scheme configured wrongly or
> something like that.
> I'm on solaris 9 with Openldap 2.3.35.  I have the password set as "clear"
>  in the ldap.conf

Which ldap.conf? Solaris doesn't have an ldap.conf by default, so is this 
nss_ldap or PADL's pam_ldap's ldap.conf, or is this OpenLDAP's ldap.conf.

>  and 
> password-hash as {MD5} in slapd.conf.

Both of these settings only apply to password changes (assuming ldap.conf is 
pam_ldap's ldap.conf). This is covered in the documentation for each piece of 

> Am I safe to assume that with these 
> settings, it
> means that the client will be sent the passwords over the server as clear
> text and the server
> will hash it to MD5 before checking against its stored password list?

In the case of a simple bind, the password is always sent in the clear. The 
password will typically be validated against the contents of the userPassword 
attribute for the DN in question, using the password scheme identifier that 
precedes that password hash. As such, the password hash type typically can't 
be configured incorrectly, as it is stored with the password hash ...

> If 
> it is not the case, then how
> should I configure the client and server to be the case?