Re: password hashes and simple binds

[Dieter Klünter <dieter@dkluenter.de>]

Am Sat, 23 Nov 2013 20:22:56 +0100
schrieb Aleksander DzierÅanowski <olo@e-lista.pl>:

> WiadomoÅÄ napisana przez Dieter KlÃnter <dieter@dkluenter.de> w dniu
> 23 lis 2013, o godz. 19:57:
> 
> > Am Sat, 23 Nov 2013 13:24:56 +0100
> > schrieb Michael StrÃder <michael@stroeder.com>:
> > 
> >> Dieter KlÃnter wrote:
> >>> Hi,
> >>> I have a ldap server (2.4.36) with various password hashes
> >>> {CLEARTEXT} {KERBEROS} {SSHA} for different users, there is no
> >>> pasword-hash declaration in slapd.conf. Now i face a strange
> >>> behaviour with {CLEARTEXT} hash. that is:
> >>> userPassword: {CLEARTEXT} secret
> >>                          ^^^
> >> I'd try to remove this extra space. Not sure though.
> > 
> > Just to demonstrate the various hash scheme {CLEARTEXT} results:
> > http://pastebin.de/37485
> > 
> 
> Well, AFAIK if there is no {METHOD} in userPassword attribute than
> method is cleartext, so everything works as expected I suppose... â
> Olo

It is not that simple. 
RFC-2307 describes hashing schemes, but not {CLEARTEXT), man
slapd.conf(5) mentions {CLEARTEXT} as password-hash.
http://tools.ietf.org/id/draft-stroeder-hashed-userpassword-values-01.html
only refers to hashed userpassword values.
DIGEST-MD5 is a SASL mechanism which requires a cleartext password,
thus a hashing scheme of {CLEARTEXT} is valid for a SASL mechanism. A
simple bind requires a userpassword attribute value in cleartext, but
doesn't require a hashing scheme.
It would be quite helpful if OpenLDAP would accept a hash scheme for a
simple bind.

-Dieter

-- 
Dieter KlÃnter | Systemberatung
http://dkluenter.de
GPG Key ID:DA147B05
53Â37'09,95"N
10Â08'02,42"E