[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: secure passwords



sim123 wrote:
> So I did more research and found that java or spring source has APIs for
> encrypting passwords and I could store the hashed value in openldap. If thats
> the case would LDPA server be able to retrive the password during bind?
> 
> And another interesting read is
> 
> http://blogs.oracle.com/DirectoryManager/entry/the_ssha_password_storage_scheme
> 
> Is that true for OpenLDAP? Can I use similar algorithm for generating
> password? Or should password policy will suffice ?

Should be the same. Compare to:

http://www.openldap.org/faq/data/cache/347.html

Generating the salted hash of the password can be done by the client or within
slapd when the client sends a LDAP Password Modify extended operation request
(RFC 3062) with the clear-text password (as stated in
http://www.openldap.org/faq/data/cache/906.html).

Note that there are various forms of bind requests. Hashed passwords in
attribute 'userPassword' can only be used with bind methods which sends the
plaintext password over the wire (simple bind, SASL/PLAIN) and therefore the
communication has to be protected (by LDAPS or LDAP with StartTLS).

Ciao, Michael.