directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lécharny <>
Subject Re: Can we send SHA of password as the credential for LDAP authentication..
Date Sun, 17 Feb 2013 00:37:15 GMT
Le 2/16/13 6:25 PM, Linus van Geuns a écrit :
> Hey Suresh,
>>> Is it possible to configure Apache DS to ignore hash conversion of the
>> input password and just compare the password with LDAP DB?
>> Store the hashed password in LDAP. Be sure to remove the {SHA} part
>> though. Doing a simple bind using the hash as a credential will just
>> compare tis hash value with the stored part in the server. That should
>> work.
> For this to work, any LDAP client would need to actually hash the password
> typed in by a user and send this hash as the simple credential within LDAP
> Bind requests.
> So, you would almost probably need to change the implementation of every
> LDAP client that needs to connect to your directory.
No. LDAP Client don't hash nor does not to hash the password, as soon as
the password is stored hashed on a server, without the hash key on front
of it.

So you don't have to chang eanything on the client side?
> Also, when using the hash value as simple credential, the hash itself value
> becomes the password.
No. The hash value does not become a password, it becomes a way to get
connected to the LDAP server, but your password is still safe - as soon
as it's strong enough not to be cracked using rainbow table. Obviously,
if you password is someting like "james007", you are dead.
> If an attacker can intercept the hash value sent by a LDAP client, he can
> use this hash to successfully bind with your directory.
The very same for the password. At least, the attacker will not have
your password, just its hash value.
> Additionally, if some attacker would retrieve hashed passwords from a your
> directory itself (backup files, etc), he could use those hases to
> successfully bind with your directory.
True. This is a wakness, because I don't really think that anyone will
be able to remember a hash value - assuminhg the value will be pure
> So, this approach would lead to (a) your directory storing "clear text
> passwords"
No. Hash of passwords.
>  (b) your LDAP clients sending "clear text passwords" over the
> wire.
No difference with what you get when you send a password.

Still, I see little value on this requirement...

Emmanuel Lécharny 

View raw message