[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Can password-hash be database specific? also, storing and verifying cleartext passwords

> -----Original Message-----
> Is the 'password-hash' configuration function a server-wide setting
> only
> or can it be set to different values for separate databases?
> I'm trying to add MAC-auth RADIUS functionality to my LDAP server
> (openldap-2.4.21) and I need to store the password for the MAC
> addresses
> in cleartext.  I also use the LDAP server for user login which I don't
> want to keep in cleartext.  So, my thought was to have 'password-hash
> {SSHA}' for the users database, and 'password-hash {CLEARTEXT}' for the
> RADIUS database, but it appears that it's a global so I'm pretty sure
> this won't work.

Yes, each database can have a different hashing mechanism set.

olcPasswordHash: <hash> [<hash>...]
	      This option  configures  one  or	more  hashes  to  be  used  in
	      generation   of	user  passwords  stored  in  the  userPassword
	      attribute during processing of  LDAP  Password  Modify  Extended
	      Operations (RFC 3062).  The <hash> must be one of {SSHA}, {SHA},
	      {SMD5}, {MD5}, {CRYPT}, and {CLEARTEXT}.	The default is {SSHA}.

You can have more than one password set for a user and have each password use a different hash mechanism.

> Also, how do I verify that the passwords are stored in cleartext?
> On a test server, I've created just the radius database with a global
> 'password-hash {CLEARTEXT}', I have the following ldif file that I add
> with:

What you see is a base64 encoded string. 

I am not familiar with MAC-auth RADIUS. Does it require that you pass a clear-text string to the RADIUS server? Mostly, RADIUS should send a "bind" request to LDAP and if that succeeds it will allow auth. If that is the case, you should not have to use clear-text passwords.

Hope this helps,

- Siddhartha