On July 14, 2001 02:06 pm, pop corn wrote:
> FYI, the OpenLDAP FAQ-O-Matic shows the following when I did a search for
> slappasswd. Apparently, OpenLDAP recommends SSHA over md5, crypt, and
> obviously, cleartext. The Netscape article that it refers to suggests using
> "pwdhash" to generate or check userPassword values. This program is
> included with Netscape Directory server. The article includes two perl
> scripts and a java program to generate the SSHA password.
>
> What do you and Henning think of SSHA over MD5?
The LDAP root password as stored in our slapd.conf is stored in SSHA simply
because it was the default and it worked. That was an easy choice.
As far as the user account passwords, well, this is email we're talking
about. 99% of my clients send their passwords clear text to the POP3 server
all day long. Also, slapd does not receive connections from anywhere but our
LAN. So, in order to get the data out of our server, somebody would have to
have already cracked a box on our LAN, or plugged a box into our LAN. From
there, it would be a lot easier just to sniff the network for the passwords
rather than trying to crack the MD5 passwords.
MD5 was our choice because:
1. It was the first one we tried that worked.
2. It is a familiar method that is known to be quite good.
-Eric
--
arctic bears - the internet - your way.
email hosting from US$8/month, domains from US$19/year.
http://www.arcticbears.com
