[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: migrating from (old) /etc/shadow to LDAP

Hi Gerardo,

the 'short strings' You mentioned are 13-character DES password hashes.
For security reasons they should not be used anymore if possible.

Putting {crypt} in front of them should be sufficient for conversion.

Normalizing the passwords might become difficult if only their DES hashes are available.

Especially in a heterogenous environment using simple authentication together with
ssl/tls will prevent some trouble.

In that case OpenLDAP will take care of the crypto algorithm, creation of 
password hashes and so on while clients just send plaintext passwords
over an encrypted ssl/tls connection to the LDAP server.

This will also prevent trouble if there is no common algorithm supported by
all OS flavors and releases in Your environment which use LDAP for authentication.