Re: bindpw and SSHA

[Nick Kasparidis <nick.kasparidis@toumaz.com>]

On Fri, 2008-09-26 at 13:42 +0200, Buchan Milne wrote:
> On Friday 26 September 2008 11:08:32 Nick Kasparidis wrote:
> > Hello everyone,
> >
> > I have a small problem setting up my ldap client.
> >
> > The issue comes from trying to force authenticated queries. So I have
> > set the following lines in my slapd.conf
> >
> > disallow        bind_anon
> > require         authc
> >
> > on the client side I have added the following lines to my ldap.conf
> >
> > binddn cn=manager,dc=domain,dc=com
> > bindpw {SSHA}<the hash>
> >
> 
> A simple bind requires that the client has the *cleartext* password.
> 
> What documentation that you read made you believe you could use a hash?
> 
> Are you aware of what a hash is? The whole point of a hash is to be a one-way 
> test. Allowing the "cleartext" has to be a password equivalent would defeat 
> the purpose of the hash.
> 
> If you don't want cleartext, you can use a SASL method. But, the SASL methods 
> still require a secret to be available on the client side ... (private key, 
> Kerberos keytab etc.).
> 
> Regards,
> Buchan

I realise now that what I was asking did not make sense. I will probably
create an account for bindn which is less privileged than cn=manager,
and if someone gets the password no harm done. Alternatively I will take
a look on the SASL method.

Thank you for the help

Best Regards
Nick