Ulrich Windl wrote:
Bram Cymet <bcymet@cbnco.com> schrieb am 28.08.2014 um 22:26 in Nachricht<53FF9080.1050209@cbnco.com>:Hi, I am storing users passwords in a userPassword attribute. When the passwords are hashed with MD5 I can bind as the user just fine. If I hash the password with sha-256 I get invalid credentials.I wonder: My slappasswd only knows about {SHA} and {SSHA}, {MD5} and {SMD5},
{CRYPT}, and {CLEARTEXT}. Section 14.4 of the manual indicates that hashed
passwords are non-standard anyway.
So implement the non-standard on your clients.
No, that's terrible advice. The server should be responsible for all hashing and verification of hashes, otherwise you are guaranteed to get different behavior with different clients. This is the reason why the LDAP Bind operation behaves as it does, and it is the reason why the LDAP PasswordModify operation exists.
Is there something I have to change in my client? Is there something I have to change on the server? Is binding a user with a password stored with sha-256 (or at least something better then md5) even possible? Thanks,
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/