Re: OpenLdap Clear-text Password in Debug Mode

To: openldap-technical@openldap.org

Subject: Re: OpenLdap Clear-text Password in Debug Mode

From: Rich Alford <ralford100@gmail.com>

Date: Tue, 1 Dec 2015 07:39:10 -0500

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=WAO4Zh7zge6SuqqohKkDFQ2JDv5cT2cwhy0mWMivE4I=; b=k55qzmINUNm/rOCWYMdbCnbpBHKTPLGzNjIJmELdlrs+3puMQo956EyPaSm2NzcNcy 2cBenTyPmtRpnYknsUbOdFFZNIWT5R/dnNl4kYTD4XBiSxlEL58EskT1l4ul+5R2OOEL uwr9qEHtQd1aX/5gasDUCtxh90O/PLrkxJxIfK+kLZjQJOOfU/crAdxUyiZDeWR6HPzm LmfN5cyJK84NJMF+eYP0wErA3hgS8is3MC316HCcUUHQpevqz5WWp4D0Jc/NTmz4RdKN 8f57CJ0OpXKtxciREC+Ff+L+DQ2+xLn4PwkHJAufMciGNO7263/N8x4X2D0NMWSjLAHm rwHw==

In-reply-to: <20151130213405.GB1168@comet>

References: <CA+u_CmTZZ_xULSbGbeTBf0YJBVcwYK+6s1EKFRrmKhSP96cHpQ@mail.gmail.com> <20151130213405.GB1168@comet>

Thank you Ryan. So there's no way around that? I.e. Is there a strategy that can alleviate that?

On Mon, Nov 30, 2015 at 4:34 PM, Ryan Tandy <ryan@nardis.ca> wrote:

On Mon, Nov 30, 2015 at 02:20:44PM -0500, Rich Alford wrote:

Theoretically, the password should be hashed on the client, sent across the network, to be compared against the hashed passwords in the database.

The client has no idea how the server stores or hashes passwords. The server might not even store them directly, but could be passing them to a third party (f.ex. a Kerberos KDC) for verification. So the client sends the password to the server in the clear (but protected by TLS), and the server verifies the password however it's configured to, in your case by hashing it and comparing the hash to the stored hash.