On Tue, Nov 30, 2004 at 08:13:17AM -0500, Matt wrote:
> Flavio,
> Ok, so say the user's password was 'snoopy'. Do I pass to ldap:
> {crypt}snoopy
> as the password variable when I'm doing updating?
>
no you pass `/var/qmail/bin/digest snoopy | grep -i "{crypt}"` e.g.
{CRYPT}AqGKgkuKih9qU
> Now what would be the difference between doing:
> unixcrypt
> and
> {crypt}unixcrypt
>
Userpassword stores per RFC a clear text version of the password but this
is a major security nightmare. So the unixcrypt was used at the beginning
but the old des crypt with 2 salt bytes is weak and can be cracked in
usable time. So other hash algorithms where used, e.g. md5, sha1 and their
salted versions smd5 and ssha. To distinguish between those versions the
{ALGO} notation was introduced.
> as these are the two options in our current billing software, and we
> currently use unixcrypt.
> And the passwords look like: HeTTLKfZaCI5A
>
> What does that mean? (Sorry.. this is the first I've actually delved
> into the password side of qmail-ldap).
OpenLDAP and qmail-ldap support both formats with and without the {CRYPT}
infront of the hash. So you can store the passwords with or without
{CRYPT}.
I prefer SSHA, SMD5 and the blowfish version of crypt(3).
--
:wq Claudio
