Am Sat, 23 Nov 2013 20:22:56 +0100 schrieb Aleksander Dzierżanowski <[email protected]>:
> Wiadomość napisana przez Dieter Klünter <[email protected]> w dniu > 23 lis 2013, o godz. 19:57: > > > Am Sat, 23 Nov 2013 13:24:56 +0100 > > schrieb Michael Ströder <[email protected]>: > > > >> Dieter Klünter wrote: > >>> Hi, > >>> I have a ldap server (2.4.36) with various password hashes > >>> {CLEARTEXT} {KERBEROS} {SSHA} for different users, there is no > >>> pasword-hash declaration in slapd.conf. Now i face a strange > >>> behaviour with {CLEARTEXT} hash. that is: > >>> userPassword: {CLEARTEXT} secret > >> ^^^ > >> I'd try to remove this extra space. Not sure though. > > > > Just to demonstrate the various hash scheme {CLEARTEXT} results: > > http://pastebin.de/37485 > > > > Well, AFAIK if there is no {METHOD} in userPassword attribute than > method is cleartext, so everything works as expected I suppose... — > Olo It is not that simple. RFC-2307 describes hashing schemes, but not {CLEARTEXT), man slapd.conf(5) mentions {CLEARTEXT} as password-hash. http://tools.ietf.org/id/draft-stroeder-hashed-userpassword-values-01.html only refers to hashed userpassword values. DIGEST-MD5 is a SASL mechanism which requires a cleartext password, thus a hashing scheme of {CLEARTEXT} is valid for a SASL mechanism. A simple bind requires a userpassword attribute value in cleartext, but doesn't require a hashing scheme. It would be quite helpful if OpenLDAP would accept a hash scheme for a simple bind. -Dieter -- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:DA147B05 53°37'09,95"N 10°08'02,42"E
