directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kiran Ayyagari <>
Subject Re: SearchBaseDN, Kerberos, SASL and password hashing...
Date Mon, 08 Apr 2013 17:08:54 GMT
On Mon, Apr 8, 2013 at 10:00 PM, Emmanuel L├ęcharny <>wrote:

> Hi guys,
> currently, there are two parts of the server that requires to know where
> the user entry should be read from. We use the searchBaseDN, which is
> configured in the ads-searchbasedn in the LDAPserver entry.
> So we just have one single place where we tell the server what is the
> place in the DIT to look for users.
> The pb is that if you activate the Kerberos server, then you have to
> activate the hashPassword interceptor that will hash all the
> userPassword values, no matter what. This will interfer with the users
> that are authenticated using the Simple auth (but we can put them in
> some different place if needed), but more important, the SASL authent
> using CRAM-MD5 or DIGEST-MD5 are using the same searchBaseDN, except
> they *need* the clear text password...
> So how can we solve this ? I suggest we use a list of searchBaseDNs in
> the hashPassword interceptor configuration, and that it only hashes the
> userPassword for the entries stored under those places.
> wdyt ? (see too)
> +1 but with a slight modification, instead of defining this attribute as a
set of "search base"s
it would be good to define as "do not hash the passwords under these DNs"
something like ads-disableHashingUnderDn multi valued attribute
if this attribute is absent all entries' passwords will be hashed

> --
> Regards,
> Cordialement,
> Emmanuel L├ęcharny

Kiran Ayyagari

View raw message