RE: Can password-hash be database specific? also, storing and verifying cleartext passwords

2010-06-26 Thread masarati 
 -Original Message-
 Is the 'password-hash' configuration function a server-wide setting
 only
 or can it be set to different values for separate databases?
 I'm trying to add MAC-auth RADIUS functionality to my LDAP server
 (openldap-2.4.21) and I need to store the password for the MAC
 addresses
 in cleartext.  I also use the LDAP server for user login which I don't
 want to keep in cleartext.  So, my thought was to have 'password-hash
 {SSHA}' for the users database, and 'password-hash {CLEARTEXT}' for the
 RADIUS database, but it appears that it's a global so I'm pretty sure
 this won't work.

 Yes, each database can have a different hashing mechanism set.
 http://www.openldap.org/software/man.cgi?query=slapd-configapropos=0sektion=0manpath=OpenLDAP+2.4-Releaseformat=html

I'm afraid that man page is incorrect.  As far as I know, that directive
is global, not database specific.  That's what I get from the code (and
what I remembered).  You can check yourself by adding the directive and
inspecting the content of cn=config.

We need at least to fix the manpage.

p.

Re: Can password-hash be database specific? also, storing and verifying cleartext passwords

2010-06-26 Thread Howard Chu 

masar...@aero.polimi.it wrote:

-Original Message-
Is the 'password-hash' configuration function a server-wide setting
only
or can it be set to different values for separate databases?
I'm trying to add MAC-auth RADIUS functionality to my LDAP server
(openldap-2.4.21) and I need to store the password for the MAC
addresses
in cleartext.  I also use the LDAP server for user login which I don't
want to keep in cleartext.  So, my thought was to have 'password-hash
{SSHA}' for the users database, and 'password-hash {CLEARTEXT}' for the
RADIUS database, but it appears that it's a global so I'm pretty sure
this won't work.


Yes, each database can have a different hashing mechanism set.
http://www.openldap.org/software/man.cgi?query=slapd-configapropos=0sektion=0manpath=OpenLDAP+2.4-Releaseformat=html


I'm afraid that man page is incorrect.  As far as I know, that directive
is global, not database specific.  That's what I get from the code (and
what I remembered).  You can check yourself by adding the directive and
inspecting the content of cn=config.

We need at least to fix the manpage.


The manpage is correct. It clearly states This setting is only allowed in the 
frontend entry.



--
  -- Howard Chu
  CTO, Symas Corp.   http://www.symas.com
  Director, Highland Sun http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Re: Can password-hash be database specific? also, storing and verifying cleartext passwords

2010-06-26 Thread masarati 

 The manpage is correct. It clearly states This setting is only allowed in
 the
 frontend entry.

Right; I was mistaken by the fact that olcPasswordHash is allowed by class
olcGlobal.

p.

Re: Can password-hash be database specific? also, storing and verifying cleartext passwords

2010-06-26 Thread Howard Chu 

masar...@aero.polimi.it wrote:



The manpage is correct. It clearly states This setting is only allowed in
the
frontend entry.


Right; I was mistaken by the fact that olcPasswordHash is allowed by class
olcGlobal.


Yes, it's allowed in olcGlobal for backward compatibility with slapd.conf, 
which didn't enforce any distinction between global and frontend 
directives. But it's not evaluated there, since it's possible to specify a 
hash mechanism that is loaded from a module (and the moduleLoad parsing hasn't 
occurred yet when olcGlobal is read).


--
  -- Howard Chu
  CTO, Symas Corp.   http://www.symas.com
  Director, Highland Sun http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

RE: Can password-hash be database specific? also, storing and verifying cleartext passwords

2010-06-25 Thread Siddhartha Jain 
 -Original Message-
 Is the 'password-hash' configuration function a server-wide setting
 only
 or can it be set to different values for separate databases?
 I'm trying to add MAC-auth RADIUS functionality to my LDAP server
 (openldap-2.4.21) and I need to store the password for the MAC
 addresses
 in cleartext.  I also use the LDAP server for user login which I don't
 want to keep in cleartext.  So, my thought was to have 'password-hash
 {SSHA}' for the users database, and 'password-hash {CLEARTEXT}' for the
 RADIUS database, but it appears that it's a global so I'm pretty sure
 this won't work.

Yes, each database can have a different hashing mechanism set.
http://www.openldap.org/software/man.cgi?query=slapd-configapropos=0sektion=0manpath=OpenLDAP+2.4-Releaseformat=html

olcPasswordHash: hash [hash...]
  This option  configures  one  or  more  hashes  to  be  used  in
  generation   of   user  passwords  stored  in  the  userPassword
  attribute during processing of  LDAP  Password  Modify  Extended
  Operations (RFC 3062).  The hash must be one of {SSHA}, {SHA},
  {SMD5}, {MD5}, {CRYPT}, and {CLEARTEXT}.  The default is {SSHA}.


You can have more than one password set for a user and have each password use a 
different hash mechanism.

 
 Also, how do I verify that the passwords are stored in cleartext?
 On a test server, I've created just the radius database with a global
 'password-hash {CLEARTEXT}', I have the following ldif file that I add
 with:

What you see is a base64 encoded string. 
http://www.openldap.org/faq/data/cache/1346.html

I am not familiar with MAC-auth RADIUS. Does it require that you pass a 
clear-text string to the RADIUS server? Mostly, RADIUS should send a bind 
request to LDAP and if that succeeds it will allow auth. If that is the case, 
you should not have to use clear-text passwords.

Hope this helps,

- Siddhartha

Re: Can password-hash be database specific? also, storing and verifying cleartext passwords

2010-06-25 Thread Dieter Kluenter 
Tom Leach le...@coas.oregonstate.edu writes:

[...]
 Also, how do I verify that the passwords are stored in cleartext?
 On a test server, I've created just the radius database with a global
 'password-hash {CLEARTEXT}', I have the following ldif file that I add
 with:
 ldapadd -x -W -v -D 'cn=Manager,o=radius' -f mac.ldif -h ldap_server

 Contents of mac.ldif:
 dn:uid=001e68d08ff9,o=radius
 uid: 001e68d08ff9
 cn: 001e68d08ff9
 userPassword: {cleartext}001e68d08ff9
 objectClass: top
 objectClass: radiusProfile
 objectClass: radiusObjectProfile

 but when I use ldapsearch or slapcat to dump the database, the
 userPassword line looks to be hashed.
[...]
 userPassword:: e2NsZWFydGV4dH0wMDFlNjhkMDhmZjk=
[...]

This is just the base64 encoding of the plaintext password. You may
decode this by mmencode -u

-Dieter

-- 
Dieter Klünter | Systemberatung
sip: +49.40.20932173
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6

Re: Can password-hash be database specific? also, storing and verifying cleartext passwords

2010-06-24 Thread masarati 
 Is the 'password-hash' configuration function a server-wide setting only

Yes.

 or can it be set to different values for separate databases?

No.

 I'm trying to add MAC-auth RADIUS functionality to my LDAP server
 (openldap-2.4.21) and I need to store the password for the MAC addresses
 in cleartext.  I also use the LDAP server for user login which I don't
 want to keep in cleartext.  So, my thought was to have 'password-hash
 {SSHA}' for the users database, and 'password-hash {CLEARTEXT}' for the
 RADIUS database, but it appears that it's a global so I'm pretty sure
 this won't work.

 Also, how do I verify that the passwords are stored in cleartext?
 On a test server, I've created just the radius database with a global
 'password-hash {CLEARTEXT}', I have the following ldif file that I add
 with:
 ldapadd -x -W -v -D 'cn=Manager,o=radius' -f mac.ldif -h ldap_server

 Contents of mac.ldif:
  dn:uid=001e68d08ff9,o=radius
  uid: 001e68d08ff9
  cn: 001e68d08ff9
  userPassword: {cleartext}001e68d08ff9
  objectClass: top
  objectClass: radiusProfile
  objectClass: radiusObjectProfile

 but when I use ldapsearch or slapcat to dump the database, the
 userPassword line looks to be hashed.
 ldap_server# slapcat
  dn: o=radius
  o: radius
  objectClass: top
  objectClass: organization
  structuralObjectClass: organization
  entryUUID: 97ab4273-42ae-4b41-9100-a8106bf766bf
  creatorsName: cn=Manager,o=radius
  createTimestamp: 20100618220235Z
  entryCSN: 20100618220235.020635Z#00#000#00
  modifiersName: cn=Manager,o=radius
  modifyTimestamp: 20100618220235Z

  dn: uid=001e68d08ff9,o=radius
  uid: 001e68d08ff9
  cn: 001e68d08ff9
  userPassword:: e2NsZWFydGV4dH0wMDFlNjhkMDhmZjk=

This is the base64 encoding of {cleartext}001e68d08ff9

Please note that slapd will hold what you store in it.  password-hash only
hashes passwords that are written by the password modify extended
operation (RFC3062).  So if you write passwords using an add or a modify
operation, it will be stored as it is provided.

p.