[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ClearText Passwords in slapcat: please provide some inputs

Manuel Afonso wrote:
> I have here a big issue: when using phpldapadmin/openldap, all the times there
> is (for each user/entry) a field with
> cleartextPassword: <cleartextpassword>                   (this is seen in
> slapcat output)

If you don't want your passwords to be stored in clear then simply don't store
it in clear.

Find out why it's stored there by which component:
Which schema is this?
Does phpldapadmin create this attribute or another application?
Is the clear-text password actually used (e.g. for some challenge-response)?

The standard mech to store passwords for normal LDAP simple binds is to put a
salted hash of the password in attribute 'userPassword'.

> What I want is to put in place a mechanism where there is no plain text field
> with the password in clear in each entry of openldap.

There is no built-in mechanism in OpenLDAP for reversible encryption of
specific attributes.

Ciao, Michael.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature