On Wed, Sep 14, 2011 at 3:00 AM, Buchan Milne <[email protected]>wrote:
> On Tuesday, 13 September 2011 23:01:23 sim123 wrote: > > Hi All, > > > > I am trying to store SSHA passwords in openldap instead of plain text via > C > > code and wondering how this works. I tried exploring archives, FAQ etc > and > > what I gathered from there is openLDAP has built in support for various > > password encryption algorithm however it does not have any APIs for > > generating passwords > > Are you sure? > > > and password-has directive works with ldpapassword > > utility only. > > Really? It seems to work fine from pam_ldap (using 'pam_password exop'), > Net::LDAP and various other tools. > > > http://www.openldap.org/faq/data/cache/906.html > > > > If I use some tool like Apache DS and modify my userPassword attribute to > > be SSHA instead of plain text it all works. I want to know how this works > > under the hood? Who is responsible for generating hashed passwords? If I > > generate it using some C routine how does LDAP Server retrieves it during > > the bind operation? I would really appreciate if there is any related > > documentation available. > > Maybe you should read about the Password Modification extended operation > .... > > IMHO, you shouldn't be hashing passwords on the client-side, it is much > better > to let the DS hash the password in the format it is configured for (so you > know it will actually be able to use the password, and allowing you to use > newer/stronger hashes as and when the DS supports them, without coding the > support yourself). > I agree that DS should hash the password, however I am not sure what password modification extended operation is, is it ldappasswd utility or does openLDAP offer some kind of API to do so? Also can how can I configure hashing in SLAPD? Basically my C program will call ldap_add_ext_s() operation, while doing that how can I make sure that userPassword attribute be treated differently (hashed)? I was looking into password policy and not sure if it suffice my needs. > > Regards, > Buchan >
