[Date Prev][Date Next]
Question about password storage.
- To: firstname.lastname@example.org
- Subject: Question about password storage.
- From: Bryan Boone <email@example.com>
- Date: Tue, 6 Jul 2010 14:44:54 -0700 (PDT)
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1278452695; bh=iZRg+suRRs6Hs848gRfueF2DkN9MOsMZ52yRrkNzK0M=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=eLZWVxnxSygucFWXh4jGk04mniNOvC2YIOCPeQZbijr5Tqv1+34YAo7QKEoar3KawuoY8YaeyANVLbo/UbTyQWAGwOORL/pQNy1rkm5gjA/hxsxyFhoiHUMPLOnPJ/hULdYg4IxADW4qCRMnmvF45HvE/pZPZGpdDZdn4TaVucY=
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=uASbeDgG3uoaAhnctqq9MFVNOY/rM6KooUEUEG59FRs5sf9Vt6yL5kh5GuJK9kiqA+3Bx3tBlv+bfgtXrA+oWlWBWDhJbTNdYqGuXKaJif3cu1FoTem9391c4B0WQfN791MSDM9M/YPfMiGFs4dRrl+eXPdUaOJXeeajIfl7HsI=;
Hi everyone. I just read this information.
14.4. Password Storage
LDAP passwords are normally stored in the userPassword attribute. RFC4519 specifies that passwords are not stored in encrypted (or hashed) form. This allows a wide range of password-based authentication mechanisms, such as DIGEST-MD5 to be used. This is also the most interoperable storage scheme.
However, it may be desirable to store a hash of password instead. slapd(8) supports a variety of storage schemes for the administrator to choose from.
If it is not typical to store passwords in LDAP in hashed form. Then how are you supposed to bind to LDAP without transmitting the clear text password across the network? I understand that SSL and Kerberos will fix this problem, but what if a user just wants to use plain LDAP? Would I need to dictate to a customer that they must use a hash alg. in the userPassword in this case?