Re: OpenLDAP MD5 Hashed and CLEARTEXT Passwords

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 10:58 AM 3/27/2006, Tony Murphy wrote:
>I'm having difficulty with storing passwords in openldap
>
>I'm using the latest of openldap for windows version

The latest version of OpenLDAP Software is 2.3.20.

>I tried to store a password as clear text by setting password-hash in slapd.conf to {CLEARTEXT}, slapd fell over saying that the hash setting wasn't recognised

Apparently the slapd(8) instance you are using was built with
--disable-cleartext.

>I'm then set the password-hash value to {MD5}, loaded the data, but the hashed password value was not as expected

Note that this directive only effects values generated
through use of the LDAP Password Modify operation.
If you are using LDAP Add or Modify (as with ldapadd(1)
or ldapmodify(1)), this directive has no effect.

>I'm using ldif, I loaded the file using ldapadd
>
># Define a user entry
>dn: uid=tony,ou=people,dc=example,dc=com
>objectclass: inetOrgPerson
>uid: tony
>cn: Tony Murphy
>sn: Murphy
>givenName: Tony
>initials: TM
>userPassword: tony:localhost:8080:blah00blah

slapd(8) should have preserved this value (as required
by LDAP technical specifications).

Note the whole value provided here is considered the user's
password.  That is, to authenticate as this user to the directory
service, the user (or client acting on his/her behalf) would have to
provide the string "tony:localhost:8080:blah00blah" as their
password.

>The password value I'm using contains ':', it this an illegal character. 
>Should I escape it, how can I escape it

No.

Password values are octet strings.  Excepting as necessary
for experimental passwords schemes (e.g., {MD5}) [RFC2307],
slapd(8) doesn't regard any octet as being special.

>Any help greatly appreciated
>
>Tony