[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Compare-Request on hashed userPassword

On 27/09/11 18:59 +0200, Michael Ströder wrote:

We have {SSHA}-hashed passwords in attribute userPassword.

One application sends CompareRequests with the clear-text password instead of
a BindRequest to validate the password which obviously fails. The application
vendor claims it is too much effort to change that behaviour in the
application. I guess this can only be solved in slapd by a custom overlay
intercepting the CompareRequest (which is effort too).

Or is there any other solution I don't know of?

We had a similar problem where Sun ILOM requires userPassword to be in a
Solaris compatible crypt format. We created a custom attribute, called
cryptedUserPassword, and populate it for the users that need access to the
device. Then we make use of slapd-relay and slapo-rwm, to present
cryptedUserPassword as userPassword when our relayed tree
(dc=example,dc=net,dc=ilom) is queried.

Our slapd.conf config looks like:

database                relay
suffix                  "dc=example,dc=net,dc=ilom"
overlay                 rwm
rwm-rewriteEngine       on
suffixmassage           "dc=example,dc=net"
rwm-rewriteContext      default
rwm-map                 attribute userPassword cryptedUserPassword
rwm-map                 attribute cryptedUserPassword userPassword
rwm-rewriteContext searchFilter
rwm-rewriteRule ".*uid=(.*)\)\)" "(&(uid=$1)(someAccessAttr=ilom))"

Dan White