Re: secure passwords
sim123 wrote: So I did more research and found that java or spring source has APIs for encrypting passwords and I could store the hashed value in openldap. If thats the case would LDPA server be able to retrive the password during bind? And another interesting read is http://blogs.oracle.com/DirectoryManager/entry/the_ssha_password_storage_scheme Is that true for OpenLDAP? Can I use similar algorithm for generating password? Or should password policy will suffice ? Should be the same. Compare to: http://www.openldap.org/faq/data/cache/347.html Generating the salted hash of the password can be done by the client or within slapd when the client sends a LDAP Password Modify extended operation request (RFC 3062) with the clear-text password (as stated in http://www.openldap.org/faq/data/cache/906.html). Note that there are various forms of bind requests. Hashed passwords in attribute 'userPassword' can only be used with bind methods which sends the plaintext password over the wire (simple bind, SASL/PLAIN) and therefore the communication has to be protected (by LDAPS or LDAP with StartTLS). Ciao, Michael.
Re: secure passwords
Buchan Milne wrote: IMHO, you shouldn't be hashing passwords on the client-side, it is much better to let the DS hash the password In some use-cases it is better to do client-side hashing. Especially if you want to set more attributes together with attribute 'userPassword' in a single modify request (which means single transaction). Ciao, Michael.
Re: secure passwords
On 14/09/2011 16:54, Michael Ströder wrote: Buchan Milne wrote: IMHO, you shouldn't be hashing passwords on the client-side, it is much better to let the DS hash the password In some use-cases it is better to do client-side hashing. Especially if you want to set more attributes together with attribute 'userPassword' in a single modify request (which means single transaction). I still prefer using Password Modification extended operation. I can use smbk5pwd to automatically update also all the other relevant informations (sambaPwdLastSet, sambaLMPassword, sambaNTPassword), having a much simpler code. It's unfortunate that the patch to update also shadowLastChange was not applied. Simone -- Simone Piccardi Truelite Srl picca...@truelite.it (email/jabber) Via Monferrato, 6 Tel. +39-347-103243350142 Firenze http://www.truelite.it Tel. +39-055-7879597Fax. +39-055-736
Re: secure passwords
On Wed, Sep 14, 2011 at 3:00 AM, Buchan Milne bgmi...@staff.telkomsa.netwrote: On Tuesday, 13 September 2011 23:01:23 sim123 wrote: Hi All, I am trying to store SSHA passwords in openldap instead of plain text via C code and wondering how this works. I tried exploring archives, FAQ etc and what I gathered from there is openLDAP has built in support for various password encryption algorithm however it does not have any APIs for generating passwords Are you sure? and password-has directive works with ldpapassword utility only. Really? It seems to work fine from pam_ldap (using 'pam_password exop'), Net::LDAP and various other tools. http://www.openldap.org/faq/data/cache/906.html If I use some tool like Apache DS and modify my userPassword attribute to be SSHA instead of plain text it all works. I want to know how this works under the hood? Who is responsible for generating hashed passwords? If I generate it using some C routine how does LDAP Server retrieves it during the bind operation? I would really appreciate if there is any related documentation available. Maybe you should read about the Password Modification extended operation IMHO, you shouldn't be hashing passwords on the client-side, it is much better to let the DS hash the password in the format it is configured for (so you know it will actually be able to use the password, and allowing you to use newer/stronger hashes as and when the DS supports them, without coding the support yourself). I agree that DS should hash the password, however I am not sure what password modification extended operation is, is it ldappasswd utility or does openLDAP offer some kind of API to do so? Also can how can I configure hashing in SLAPD? Basically my C program will call ldap_add_ext_s() operation, while doing that how can I make sure that userPassword attribute be treated differently (hashed)? I was looking into password policy and not sure if it suffice my needs. Regards, Buchan
Re: secure passwords
sim123 wrote: I am not sure what password modification extended operation is It's a separate LDAP extended operation working on a already existing entry not a normal modify operation (see RFC 3062). is it ldappasswd utility Yes. or does openLDAP offer some kind of API to do so? See functions ldap_passwd/ldap_passwd_s in OpenLDAP's C API. Also can how can I configure hashing in SLAPD? You already posted the relevant FAQ entry. Watch out for password-hash in man-page slapd.conf. Ciao, Michael.
Re: secure passwords
2011/9/14 sim123 sim3...@gmail.com 2011/9/14 Michael Ströder mich...@stroeder.com sim123 wrote: I am not sure what password modification extended operation is It's a separate LDAP extended operation working on a already existing entry not a normal modify operation (see RFC 3062). So if I add a user from C API, it should add blank in userPassowrd attribute and then I modify userPaswed, is that correct? Can I do, Add and modify in same modify request to guarantee the atomicity of operation? Would ldap still treat it as extended operation? is it ldappasswd utility Yes. or does openLDAP offer some kind of API to do so? See functions ldap_passwd/ldap_passwd_s in OpenLDAP's C API. Could not find these function in man page or google search, can you please point me to a reference? Thanks for the help. Also can how can I configure hashing in SLAPD? You already posted the relevant FAQ entry. Watch out for password-hash in man-page slapd.conf. Thanks for help and support, I really appreciate it. Ciao, Michael. I was also wondering about using ppolicy, I read that if I use ppolicy_has_cleartext then server will hash clear text password even for modify operations as opposed to password modify extended operations, so which one is better? Thanks
secure passwords
Hi All, I am trying to store SSHA passwords in openldap instead of plain text via C code and wondering how this works. I tried exploring archives, FAQ etc and what I gathered from there is openLDAP has built in support for various password encryption algorithm however it does not have any APIs for generating passwords and password-has directive works with ldpapassword utility only. http://www.openldap.org/faq/data/cache/906.html If I use some tool like Apache DS and modify my userPassword attribute to be SSHA instead of plain text it all works. I want to know how this works under the hood? Who is responsible for generating hashed passwords? If I generate it using some C routine how does LDAP Server retrieves it during the bind operation? I would really appreciate if there is any related documentation available. Thanks for the help and support.
Re: secure passwords
So I did more research and found that java or spring source has APIs for encrypting passwords and I could store the hashed value in openldap. If thats the case would LDPA server be able to retrive the password during bind? And another interesting read is http://blogs.oracle.com/DirectoryManager/entry/the_ssha_password_storage_scheme Is that true for OpenLDAP? Can I use similar algorithm for generating password? Or should password policy will suffice ? On Tue, Sep 13, 2011 at 2:01 PM, sim123 sim3...@gmail.com wrote: Hi All, I am trying to store SSHA passwords in openldap instead of plain text via C code and wondering how this works. I tried exploring archives, FAQ etc and what I gathered from there is openLDAP has built in support for various password encryption algorithm however it does not have any APIs for generating passwords and password-has directive works with ldpapassword utility only. http://www.openldap.org/faq/data/cache/906.html If I use some tool like Apache DS and modify my userPassword attribute to be SSHA instead of plain text it all works. I want to know how this works under the hood? Who is responsible for generating hashed passwords? If I generate it using some C routine how does LDAP Server retrieves it during the bind operation? I would really appreciate if there is any related documentation available. Thanks for the help and support.
