[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Question about password storage.

On 06/07/10 14:44 -0700, Bryan Boone wrote:
Hi everyone.  I just read this information.
14.4. Password Storage
LDAP passwords are normally stored in the userPassword attribute. RFC4519
specifies that passwords are not stored in encrypted (or hashed) form.
This allows a wide range of password-based authentication mechanisms, such
as DIGEST-MD5 to be used. This is also the most interoperable storage
scheme.  However, it may be desirable to store a hash of password instead.
slapd(8) supports a variety of storage schemes for the administrator to
choose from.   

If it is not typical to store passwords in LDAP in hashed form.  Then how
are you supposed to bind to LDAP without transmitting the clear text
password across the network?  I understand that SSL and Kerberos will fix
this problem, but what if a user just wants to use plain LDAP?  Would I
need to dictate to a customer that they must use a hash alg. in the
userPassword in this case?

I believe your question is based on a misinterpretation of the above.
Storing the password in clear text within the userPassword attribute opens
up several SASL based authentication mechanisms which do not transmit the
password over the network, such as with DIGEST-MD5 (See RFC 2831).

Storing your password in a hashed form may restrict the ability of the
server, or the SASL library, in making use of such mechanisms, and could
allow, or even require, your users to transmit the password in clear text
over the network.

Assuming that you only allow SASL binds, you can implement a configuration
option of 'sasl-secprops minssf=64' to require users to choose
authentication mechanisms that provides a security layer of at least 64
bits (for example). See RFC 4422.

Even when using such appropriate mechanisms to authenticate, it's still a
good idea to protect the authentication handshake with TLS.

Dan White