directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Linus van Geuns <li...@vangeuns.name>
Subject Re: Can we send SHA of password as the credential for LDAP authentication..
Date Sun, 17 Feb 2013 15:32:06 GMT
Hey Emmanuel,

On Sun, Feb 17, 2013 at 1:37 AM, Emmanuel Lécharny <elecharny@gmail.com>wrote:

> Le 2/16/13 6:25 PM, Linus van Geuns a écrit :
> > Hey Suresh,
> >
> >
> >>> Is it possible to configure Apache DS to ignore hash conversion of the
> >> input password and just compare the password with LDAP DB?
> >> Store the hashed password in LDAP. Be sure to remove the {SHA} part
> >> though. Doing a simple bind using the hash as a credential will just
> >> compare tis hash value with the stored part in the server. That should
> >> work.
> >>
> > For this to work, any LDAP client would need to actually hash the
> password
> > typed in by a user and send this hash as the simple credential within
> LDAP
> > Bind requests.
> > So, you would almost probably need to change the implementation of every
> > LDAP client that needs to connect to your directory.
> No. LDAP Client don't hash nor does not to hash the password, as soon as
> the password is stored hashed on a server, without the hash key on front
> of it.
>
> So you don't have to chang eanything on the client side?
>

Maybe, I didn't get your proposal of removing the "{SHA}" part..

If you store the hashed password in your directory without the hash
algorithm identifier in front of it.
How would that lead to the LDAP client not sending a clear text password in
LDAP [simjple] bind requests?

Regards, Linus

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message