[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Antw: Passwords, Hashing, and Binds

Ulrich Windl wrote:
Bram Cymet <bcymet@cbnco.com> schrieb am 28.08.2014 um 22:26 in Nachricht

I am storing users passwords in a userPassword attribute. When the
passwords are hashed with MD5 I can bind as the user just fine. If I
hash the password with sha-256 I get invalid credentials.

I wonder: My slappasswd only knows about {SHA} and {SSHA}, {MD5} and
{CRYPT}, and {CLEARTEXT}. Section 14.4 of the manual indicates that hashed
passwords are non-standard anyway.

So implement the non-standard on your clients.

No, that's terrible advice. The server should be responsible for all hashing and verification of hashes, otherwise you are guaranteed to get different behavior with different clients. This is the reason why the LDAP Bind operation behaves as it does, and it is the reason why the LDAP PasswordModify operation exists.

Is there something I have to change in my client?
Is there something I have to change on the server?

Is binding a user with a password stored with sha-256 (or at least
something better then md5) even possible?


  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/