On 02/12/2015 01:25 AM, Michael Lasevich wrote:
Ok, after a few awkward questions from an auditor, I am starting to
face the uncomfortable truth that my understanding about how FreeIPA
works is a lot fuzzier than I would like.
Specifically, the question I could not answer - where are the
passwords stored and how are they encrypted? My understanding is that
all authentication is handled by Kerberos server, which stores its
data in LDAP - but where and how is a bit of a mystery to me. Any way
to dump out the password hashes?
Passwords are stored in LDAP in two different attributes per entry. One
with LDAP password hash and another is Kerberos password hash allowing
authentication either with Kerebros or LDAP. Both follow best practices
in terms of using hash algorithms. The attributes themselves are
protected by the access control instructions (ACI) so only a super
priviledged admin or user himself can interact with this attribute.
During normal operations it is not fetched and read. The core of the DS
processes it behind the closed doors so it is possible to reset but not
This is how LDAP works and not different from any modern directory server.
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project