directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lécharny <elecha...@gmail.com>
Subject Re: Can we send SHA of password as the credential for LDAP authentication..
Date Sat, 16 Feb 2013 07:03:38 GMT
Le 2/16/13 3:21 AM, suresh ramamurthy a écrit :
> Hi..
>
> We have a requirement to not send clear text as the credential for LDAP bind operation.

>
> So, we store SHA of the password in the Apache DS LDAP server and we would like to send
the SHA of the password from client as
> the user credential for LDAP authentication. For example, we can set the password as
{SHA}blah..blah...
>
> Is it possible to configure Apache DS to ignore hash conversion of the input password
and just compare the password with LDAP DB?
Store the hashed password in LDAP. Be sure to remove the {SHA} part
though. Doing a simple bind using the hash as a credential will just
compare tis hash value with the stored part in the server. That should work.
>
> I googled for couple of days and I also looked in the Apache DS code and found that during
bind operation, input password is hashed
> using the algorithm stored along with the password in LDAP DB and then the result is
compared. 
Yes.
>
> Can any one please shed light on this and let me know if we can send SHA of the password
from client instead of the real password for LDAP authentication. 
> Also, is this a valid approach or sending clear password from client is the only approach(assuming
ssl is enabled..)

This is a approach that will work, but this is a totally unsafe way to
do things. It provides a false feeling of security, because it's not any
safer than passing the password itself.

The only reason I can see to do such a thing is that you have a bunch of
existing hashed passwords and you want to move them into a LDAP server,
without asking the users to retype the passwords.



-- 
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com 


Mime
View raw message