[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Can password-hash be database specific? also, storing and verifying cleartext passwords

> Is the 'password-hash' configuration function a server-wide setting only


> or can it be set to different values for separate databases?


> I'm trying to add MAC-auth RADIUS functionality to my LDAP server
> (openldap-2.4.21) and I need to store the password for the MAC addresses
> in cleartext.  I also use the LDAP server for user login which I don't
> want to keep in cleartext.  So, my thought was to have 'password-hash
> {SSHA}' for the users database, and 'password-hash {CLEARTEXT}' for the
> RADIUS database, but it appears that it's a global so I'm pretty sure
> this won't work.
> Also, how do I verify that the passwords are stored in cleartext?
> On a test server, I've created just the radius database with a global
> 'password-hash {CLEARTEXT}', I have the following ldif file that I add
> with:
> ldapadd -x -W -v -D 'cn=Manager,o=radius' -f mac.ldif -h ldap_server
> Contents of mac.ldif:
>      dn:uid=001e68d08ff9,o=radius
>      uid: 001e68d08ff9
>      cn: 001e68d08ff9
>      userPassword: {cleartext}001e68d08ff9
>      objectClass: top
>      objectClass: radiusProfile
>      objectClass: radiusObjectProfile
> but when I use ldapsearch or slapcat to dump the database, the
> userPassword line looks to be hashed.
> ldap_server# slapcat
>      dn: o=radius
>      o: radius
>      objectClass: top
>      objectClass: organization
>      structuralObjectClass: organization
>      entryUUID: 97ab4273-42ae-4b41-9100-a8106bf766bf
>      creatorsName: cn=Manager,o=radius
>      createTimestamp: 20100618220235Z
>      entryCSN: 20100618220235.020635Z#000000#000#000000
>      modifiersName: cn=Manager,o=radius
>      modifyTimestamp: 20100618220235Z
>      dn: uid=001e68d08ff9,o=radius
>      uid: 001e68d08ff9
>      cn: 001e68d08ff9
>      userPassword:: e2NsZWFydGV4dH0wMDFlNjhkMDhmZjk=

This is the base64 encoding of "{cleartext}001e68d08ff9"

Please note that slapd will hold what you store in it.  password-hash only
hashes passwords that are written by the password modify extended
operation (RFC3062).  So if you write passwords using an add or a modify
operation, it will be stored as it is provided.