directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Linus van Geuns <>
Subject Re: Can we send SHA of password as the credential for LDAP authentication..
Date Sat, 16 Feb 2013 17:25:33 GMT
Hey Suresh,

On Sat, Feb 16, 2013 at 8:03 AM, Emmanuel Lécharny <>wrote:

> Le 2/16/13 3:21 AM, suresh ramamurthy a écrit :
> > Hi..
> >
> > We have a requirement to not send clear text as the credential for LDAP
> bind operation.
> >
> > So, we store SHA of the password in the Apache DS LDAP server and we
> would like to send the SHA of the password from client as
> > the user credential for LDAP authentication. For example, we can set the
> password as {SHA}blah..blah...
> >
> > Is it possible to configure Apache DS to ignore hash conversion of the
> input password and just compare the password with LDAP DB?
> Store the hashed password in LDAP. Be sure to remove the {SHA} part
> though. Doing a simple bind using the hash as a credential will just
> compare tis hash value with the stored part in the server. That should
> work.

For this to work, any LDAP client would need to actually hash the password
typed in by a user and send this hash as the simple credential within LDAP
Bind requests.
So, you would almost probably need to change the implementation of every
LDAP client that needs to connect to your directory.

Also, when using the hash value as simple credential, the hash itself value
becomes the password.
If an attacker can intercept the hash value sent by a LDAP client, he can
use this hash to successfully bind with your directory.
Additionally, if some attacker would retrieve hashed passwords from a your
directory itself (backup files, etc), he could use those hases to
successfully bind with your directory.

So, this approach would lead to (a) your directory storing "clear text
passwords" (b) your LDAP clients sending "clear text passwords" over the

Regards, Linus

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message