Hi,
Although Marc is right, I do not think it will help you:
You can generate the hash with pwdhash then store the hashed value in
userpassword.
But you still need to use the clear password to authenticate.
If using the hashed value would be enough to be able to authenticate, it
would nullify the hash interest (because hashed value would not protect
more than using clear value).
IMHO if the application is running on the server, the easiest way is to use
ldapi (i.e named socket) because no password is needed if the application
has the right to open the socket.
Otherwise strong authentication could be used but that is more painful to
handle on the application side.
A last method is to use reversible encryption to store an encrypted
password and let the application decode it (as ds389 does with the
replication agreement password)
but the issue is then to protect the encryption key ...
Regards,
Pierre
On Mon, Jan 3, 2022 at 8:15 PM Marc Sauton wrote:
> you can use the pwdhash command to generate some pre-hashed passwords, and
> then add them to the configurations or into the user's entries:
> man pwdhash
> pwdhash -s SSHA512 pasword
> {SSHA512}JnzerkmYXKEuMcv...snip...
> Thanks,
> M.
>
> On Thu, Dec 30, 2021 at 4:05 AM Caderize Caderize
> wrote:
>
>> Hello everyone,
>> i am writing a small php application in order to manage D389 users.
>> Currently, in order to connect to it, i saved the admin password in clear
>> text in a config.php file, just for test.
>>
>> Now i would move these settings into mysql database and hash the password
>> for secure reason, probably sha1 or sha256 with salt(will see).
>> The application should retrieve credentials from mysql db(which will be a
>> salted hashed password "{SHA}") and try to connect to D389.
>>
>> My question is: Does D389 can authenticate if i pass to it a pre-hashed
>> password?
>> Is there any documentation or example to follow?
>>
>> Hope this question will not be considered as stupid.
>>
>> Many Thanks
>> ___
>> 389-users mailing list -- 389-users@lists.fedoraproject.org
>> To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
>> Fedora Code of Conduct:
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
>> Do not reply to spam on the list, report it:
>> https://pagure.io/fedora-infrastructure
>>
> ___
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
>
--
--
389 Directory Server Development Team
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
