On Thu, 2015-02-12 at 02:20 -0500, Dmitri Pal wrote: > On 02/12/2015 01:25 AM, Michael Lasevich wrote: > > Ok, after a few awkward questions from an auditor, I am starting to > > face the uncomfortable truth that my understanding about how FreeIPA > > works is a lot fuzzier than I would like. > > > > Specifically, the question I could not answer - where are the > > passwords stored and how are they encrypted? My understanding is that > > all authentication is handled by Kerberos server, which stores its > > data in LDAP - but where and how is a bit of a mystery to me. Any way > > to dump out the password hashes? > > Passwords are stored in LDAP in two different attributes per entry. One > with LDAP password hash and another is Kerberos password hash allowing > authentication either with Kerebros or LDAP. Both follow best practices > in terms of using hash algorithms. The attributes themselves are > protected by the access control instructions (ACI) so only a super > priviledged admin or user himself can interact with this attribute. > During normal operations it is not fetched and read. The core of the DS > processes it behind the closed doors so it is possible to reset but not > to read. > This is how LDAP works and not different from any modern directory server.
Keep in mind that the Kerberos keys are additionally encrypted with a master password, so reading the attribute alone is useless. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
