RE: Can password-hash be database specific? also, storing and verifying cleartext passwords
-Original Message- Is the 'password-hash' configuration function a server-wide setting only or can it be set to different values for separate databases? I'm trying to add MAC-auth RADIUS functionality to my LDAP server (openldap-2.4.21) and I need to store the password for the MAC addresses in cleartext. I also use the LDAP server for user login which I don't want to keep in cleartext. So, my thought was to have 'password-hash {SSHA}' for the users database, and 'password-hash {CLEARTEXT}' for the RADIUS database, but it appears that it's a global so I'm pretty sure this won't work. Yes, each database can have a different hashing mechanism set. http://www.openldap.org/software/man.cgi?query=slapd-configapropos=0sektion=0manpath=OpenLDAP+2.4-Releaseformat=html I'm afraid that man page is incorrect. As far as I know, that directive is global, not database specific. That's what I get from the code (and what I remembered). You can check yourself by adding the directive and inspecting the content of cn=config. We need at least to fix the manpage. p.
Re: Can password-hash be database specific? also, storing and verifying cleartext passwords
masar...@aero.polimi.it wrote: -Original Message- Is the 'password-hash' configuration function a server-wide setting only or can it be set to different values for separate databases? I'm trying to add MAC-auth RADIUS functionality to my LDAP server (openldap-2.4.21) and I need to store the password for the MAC addresses in cleartext. I also use the LDAP server for user login which I don't want to keep in cleartext. So, my thought was to have 'password-hash {SSHA}' for the users database, and 'password-hash {CLEARTEXT}' for the RADIUS database, but it appears that it's a global so I'm pretty sure this won't work. Yes, each database can have a different hashing mechanism set. http://www.openldap.org/software/man.cgi?query=slapd-configapropos=0sektion=0manpath=OpenLDAP+2.4-Releaseformat=html I'm afraid that man page is incorrect. As far as I know, that directive is global, not database specific. That's what I get from the code (and what I remembered). You can check yourself by adding the directive and inspecting the content of cn=config. We need at least to fix the manpage. The manpage is correct. It clearly states This setting is only allowed in the frontend entry. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Re: Can password-hash be database specific? also, storing and verifying cleartext passwords
The manpage is correct. It clearly states This setting is only allowed in the frontend entry. Right; I was mistaken by the fact that olcPasswordHash is allowed by class olcGlobal. p.
Re: Can password-hash be database specific? also, storing and verifying cleartext passwords
masar...@aero.polimi.it wrote: The manpage is correct. It clearly states This setting is only allowed in the frontend entry. Right; I was mistaken by the fact that olcPasswordHash is allowed by class olcGlobal. Yes, it's allowed in olcGlobal for backward compatibility with slapd.conf, which didn't enforce any distinction between global and frontend directives. But it's not evaluated there, since it's possible to specify a hash mechanism that is loaded from a module (and the moduleLoad parsing hasn't occurred yet when olcGlobal is read). -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
RE: Can password-hash be database specific? also, storing and verifying cleartext passwords
-Original Message- Is the 'password-hash' configuration function a server-wide setting only or can it be set to different values for separate databases? I'm trying to add MAC-auth RADIUS functionality to my LDAP server (openldap-2.4.21) and I need to store the password for the MAC addresses in cleartext. I also use the LDAP server for user login which I don't want to keep in cleartext. So, my thought was to have 'password-hash {SSHA}' for the users database, and 'password-hash {CLEARTEXT}' for the RADIUS database, but it appears that it's a global so I'm pretty sure this won't work. Yes, each database can have a different hashing mechanism set. http://www.openldap.org/software/man.cgi?query=slapd-configapropos=0sektion=0manpath=OpenLDAP+2.4-Releaseformat=html olcPasswordHash: hash [hash...] This option configures one or more hashes to be used in generation of user passwords stored in the userPassword attribute during processing of LDAP Password Modify Extended Operations (RFC 3062). The hash must be one of {SSHA}, {SHA}, {SMD5}, {MD5}, {CRYPT}, and {CLEARTEXT}. The default is {SSHA}. You can have more than one password set for a user and have each password use a different hash mechanism. Also, how do I verify that the passwords are stored in cleartext? On a test server, I've created just the radius database with a global 'password-hash {CLEARTEXT}', I have the following ldif file that I add with: What you see is a base64 encoded string. http://www.openldap.org/faq/data/cache/1346.html I am not familiar with MAC-auth RADIUS. Does it require that you pass a clear-text string to the RADIUS server? Mostly, RADIUS should send a bind request to LDAP and if that succeeds it will allow auth. If that is the case, you should not have to use clear-text passwords. Hope this helps, - Siddhartha
Re: Can password-hash be database specific? also, storing and verifying cleartext passwords
Tom Leach le...@coas.oregonstate.edu writes: [...] Also, how do I verify that the passwords are stored in cleartext? On a test server, I've created just the radius database with a global 'password-hash {CLEARTEXT}', I have the following ldif file that I add with: ldapadd -x -W -v -D 'cn=Manager,o=radius' -f mac.ldif -h ldap_server Contents of mac.ldif: dn:uid=001e68d08ff9,o=radius uid: 001e68d08ff9 cn: 001e68d08ff9 userPassword: {cleartext}001e68d08ff9 objectClass: top objectClass: radiusProfile objectClass: radiusObjectProfile but when I use ldapsearch or slapcat to dump the database, the userPassword line looks to be hashed. [...] userPassword:: e2NsZWFydGV4dH0wMDFlNjhkMDhmZjk= [...] This is just the base64 encoding of the plaintext password. You may decode this by mmencode -u -Dieter -- Dieter Klünter | Systemberatung sip: +49.40.20932173 http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6
Re: Can password-hash be database specific? also, storing and verifying cleartext passwords
Is the 'password-hash' configuration function a server-wide setting only Yes. or can it be set to different values for separate databases? No. I'm trying to add MAC-auth RADIUS functionality to my LDAP server (openldap-2.4.21) and I need to store the password for the MAC addresses in cleartext. I also use the LDAP server for user login which I don't want to keep in cleartext. So, my thought was to have 'password-hash {SSHA}' for the users database, and 'password-hash {CLEARTEXT}' for the RADIUS database, but it appears that it's a global so I'm pretty sure this won't work. Also, how do I verify that the passwords are stored in cleartext? On a test server, I've created just the radius database with a global 'password-hash {CLEARTEXT}', I have the following ldif file that I add with: ldapadd -x -W -v -D 'cn=Manager,o=radius' -f mac.ldif -h ldap_server Contents of mac.ldif: dn:uid=001e68d08ff9,o=radius uid: 001e68d08ff9 cn: 001e68d08ff9 userPassword: {cleartext}001e68d08ff9 objectClass: top objectClass: radiusProfile objectClass: radiusObjectProfile but when I use ldapsearch or slapcat to dump the database, the userPassword line looks to be hashed. ldap_server# slapcat dn: o=radius o: radius objectClass: top objectClass: organization structuralObjectClass: organization entryUUID: 97ab4273-42ae-4b41-9100-a8106bf766bf creatorsName: cn=Manager,o=radius createTimestamp: 20100618220235Z entryCSN: 20100618220235.020635Z#00#000#00 modifiersName: cn=Manager,o=radius modifyTimestamp: 20100618220235Z dn: uid=001e68d08ff9,o=radius uid: 001e68d08ff9 cn: 001e68d08ff9 userPassword:: e2NsZWFydGV4dH0wMDFlNjhkMDhmZjk= This is the base64 encoding of {cleartext}001e68d08ff9 Please note that slapd will hold what you store in it. password-hash only hashes passwords that are written by the password modify extended operation (RFC3062). So if you write passwords using an add or a modify operation, it will be stored as it is provided. p.