Re: change password for user
Zhang Huangbin wrote: > Michael Ströder wrote: >>> so it would be nice to have >>> the directory server do the hashing instead. I've found the >>> method: >>> >>> passwd_s(user, oldpw, newpw, [serverctrls=None, [clientctrls=None]]) >>> >>> but are there any way to use that when I don't know the plaintext >>> 'oldpw' ? >>> >> >> Simply use None for oldpw. > > How can i specfy hash mechanism in passwd_s()? like SSHA, MD5. You don't. That's completely configured at the server's side. > It seems use default setting of ldap server (password-hash in openldap > slapd.conf), Yes. Other LDAP servers might have a different configuration. Also some servers set other password attributes as well (e.g. the smbk5pwd overlay for OpenLDAP sets Samba password attributes and the Kerberos keys for a heimdal KDC). Ciao, Michael. -- Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H ___ Python-LDAP-dev mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
Re: change password for user
Michael Ströder wrote: > Yes. Other LDAP servers might have a different configuration. Also some > servers set other password attributes as well (e.g. the smbk5pwd overlay > for OpenLDAP sets Samba password attributes and the Kerberos keys for a > heimdal KDC). > > Ciao, Michael. > > Thanks Michael. :) How can i set DEFAULT password-hash in slapd.conf? such as MD5 or whatever. -- Best regards. Zhang Huangbin - Open Source Mail Server Solution for RHEL/CentOS 5.x: http://code.google.com/p/iredmail/ -- Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H ___ Python-LDAP-dev mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
Re: change password for user
Zhang Huangbin wrote:
> Michael Ströder wrote:
>> Yes. Other LDAP servers might have a different configuration. Also some
>> servers set other password attributes as well (e.g. the smbk5pwd overlay
>> for OpenLDAP sets Samba password attributes and the Kerberos keys for a
>> heimdal KDC).
>
> How can i set DEFAULT password-hash in slapd.conf? such as MD5 or whatever.
That's more a question for the openldap-software mailing list. Since you
already found the password-hash parameter you could simply use it:
password-hash {SSHA}
Ciao, Michael.
--
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H
___
Python-LDAP-dev mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
Re: change password for user
On 2009-03-09, Michael Ströder wrote: > > > > But, it occurred to me that I'm not fully sure what I'm doing > > when creating the SSHA1 hash, > > If the password is usable afterwards there's nothing wrong with > client-side password hashing. The salt should be at least 4 bytes long. Still, I'm uncertain how f.ex. character encodings will/should be handled, so it seems safer to let the directory server handle both the hashing and verification. > > Simply use None for oldpw. > It didn't like None: Traceback (most recent call last): File "./update-ldap-from-atmail.py", line 166, in ? con.passwd_s( dn, None, mailpassword ) File "/usr/lib64/python2.4/site-packages/ldap/ldapobject.py", line 330, in passwd_s msgid = self.passwd(user,oldpw,newpw,serverctrls,clientctrls) File "/usr/lib64/python2.4/site-packages/ldap/ldapobject.py", line 327, in passwd return self._ldap_call(self._l.passwd,user,oldpw,newpw,EncodeControlTuples(serverctrls),EncodeControlTuples(clientctrls)) File "/usr/lib64/python2.4/site-packages/ldap/ldapobject.py", line 94, in _ldap_call result = func(*args,**kwargs) TypeError: argument 2 must be string or read-only buffer, not None but "" seems to work (after I set up SSL to get around the ldap.CONFIDENTIALITY_REQUIRED). Thanks! -jf -- Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H ___ Python-LDAP-dev mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
Re: change password for user
Jan-Frode Myklebust wrote: > On 2009-03-09, Michael Ströder wrote: >>> But, it occurred to me that I'm not fully sure what I'm doing >>> when creating the SSHA1 hash, >> If the password is usable afterwards there's nothing wrong with >> client-side password hashing. The salt should be at least 4 bytes long. > > Still, I'm uncertain how f.ex. character encodings will/should be > handled, so it seems safer to let the directory server handle both the > hashing and verification. For LDAPv3 you should pass UTF-8 to the python-ldap functions/methods or before hashing the password. (In theory one has to use SASLprep before the UTF-8 encoding but in most cases this is the same). Ciao, Michael. -- Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H ___ Python-LDAP-dev mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
