Marcelo de Moraes Serpa wrote:
> Hi Dieter, thanks for the reply.
>
> Yeah, the folks @ #openladp were kind enough to help me to debug this
> issue. It turned out that it was a simple detail (as mostly always :))
> -- When I created the ldif, I've put the password in clear text,
> however, I didn't do anything to tell openldap that it was actually
> cleartext nor I knew I had to. The whole time I though it had to do with
> ACLs (OpenLDAP denying read-access to userPassword), but the problem was
> that OpenLDAP was trying to authenticate using SHA-1, and the password
> was stored as clear text.
>
> The solution? Store the password as a SHA-1 hash. Nobody would want to
> store password as clear-text anyway.
There's nothing wrong with storing a clear-text password like
userPassword: secret_12345
in the directory entry. In fact you have to when e.g. using SASL/DIGEST-MD5
bind with in-directory passwords.
When processing a simple bind slapd looks whether a password is stored in
hashed form by looking at a magic prefix like {SSHA}. If that prefix is not
there it is assumed that the password is stored in clear and this gets compared.
> So, issue solved!
Hmm, I think you mixed up something.
Ciao, Michael.
