Claudio,
I've got that... if someone wanted to generate the password on another
system (say a Windows database backend that talked to the LDAP
server), what would you use? Something that generated a password
based on the unix crypt format?
On Tue, 30 Nov 2004 14:47:45 +0059, Claudio Jeker <[EMAIL PROTECTED]> wrote:
> On Tue, Nov 30, 2004 at 08:13:17AM -0500, Matt wrote:
> > Flavio,
> > Ok, so say the user's password was 'snoopy'. Do I pass to ldap:
> > {crypt}snoopy
> > as the password variable when I'm doing updating?
> >
>
> no you pass `/var/qmail/bin/digest snoopy | grep -i "{crypt}"` e.g.
> {CRYPT}AqGKgkuKih9qU
>
> > Now what would be the difference between doing:
> > unixcrypt
> > and
> > {crypt}unixcrypt
> >
>
> Userpassword stores per RFC a clear text version of the password but this
> is a major security nightmare. So the unixcrypt was used at the beginning
> but the old des crypt with 2 salt bytes is weak and can be cracked in
> usable time. So other hash algorithms where used, e.g. md5, sha1 and their
> salted versions smd5 and ssha. To distinguish between those versions the
> {ALGO} notation was introduced.
>
> > as these are the two options in our current billing software, and we
> > currently use unixcrypt.
> > And the passwords look like: HeTTLKfZaCI5A
> >
> > What does that mean? (Sorry.. this is the first I've actually delved
> > into the password side of qmail-ldap).
>
> OpenLDAP and qmail-ldap support both formats with and without the {CRYPT}
> infront of the hash. So you can store the passwords with or without
> {CRYPT}.
>
> I prefer SSHA, SMD5 and the blowfish version of crypt(3).
> --
> :wq Claudio
>
