[vchkpw] Call for input on OpenLDAP authentication module

2010-10-01 Thread Matt Brookings 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

The module is nearing completion, and I'd like to ask for some
opinions on supported password formats.

Part of the module's goal is to provide an address book for users.
The LDAP server administrator can set down rights as to what parts of
the directory can be seen, and users can authenticate as themselves
against the LDAP server for this purpose.

That means that both vpopmail, and the LDAP server must both
understand the password field.  Because of this requirement, the
userPassword field from the inetOrgPerson schema is being used to
store the hashed password.

Another requirement is that the password be portable to other
authentication modules.  If one wishes to convert to another module,
and does not have plaintext passwords enabled, it should be possible
to convert the user's hashed password to the new module, even if it
requires some quick tweaks (eg. {SMD5} has the four byte salt at the
end, and is base64 encoded -- this could easily be reformatted)

Initially I had decided upon using the {SMD5} hash scheme, but this
requires that systems have MD5 support.  The next obvious choice is
the {CRYPT} scheme, however, OpenLDAP does not compile with this
feature enabled by default, and without it, the server cannot
authenticate clients.

So, to those of you with some experience with OpenLDAP, I'm looking
for some input on the optimal scheme (or schemes) to implement,
keeping in mind that the hashed password can (hopefully) be ported to
the other authentication modules if required, and the OpenLDAP server
must be able to authenticate against it.

The original module supported {MD5} and {CRYPT}, and that's what I'm
leaning towards here.

Thanks for any input you can provide!
- -- 
/*
Matt Brookings m...@inter7.com   GnuPG Key FAE0672C
Software developer Systems technician
Inter7 Internet Technologies, Inc. (815)776-9465
*/
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkymPhcACgkQIwet2/rgZywgpACggRLVreT65fO267bBNp94RfhA
Z3wAnjIpq0fnAO6sP/FHhAAd8f0j4pUN
=fK4S
-END PGP SIGNATURE-

[vchkpw] Re: Call for input on OpenLDAP authentication module

2010-10-01 Thread Eric Shubert 

Matt Brookings wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

The module is nearing completion, and I'd like to ask for some
opinions on supported password formats.

Part of the module's goal is to provide an address book for users.
The LDAP server administrator can set down rights as to what parts of
the directory can be seen, and users can authenticate as themselves
against the LDAP server for this purpose.

That means that both vpopmail, and the LDAP server must both
understand the password field.  Because of this requirement, the
userPassword field from the inetOrgPerson schema is being used to
store the hashed password.

Another requirement is that the password be portable to other
authentication modules.  If one wishes to convert to another module,
and does not have plaintext passwords enabled, it should be possible
to convert the user's hashed password to the new module, even if it
requires some quick tweaks (eg. {SMD5} has the four byte salt at the
end, and is base64 encoded -- this could easily be reformatted)

Initially I had decided upon using the {SMD5} hash scheme, but this
requires that systems have MD5 support.  The next obvious choice is
the {CRYPT} scheme, however, OpenLDAP does not compile with this
feature enabled by default, and without it, the server cannot
authenticate clients.

So, to those of you with some experience with OpenLDAP, I'm looking
for some input on the optimal scheme (or schemes) to implement,
keeping in mind that the hashed password can (hopefully) be ported to
the other authentication modules if required, and the OpenLDAP server
must be able to authenticate against it.

The original module supported {MD5} and {CRYPT}, and that's what I'm
leaning towards here.

Thanks for any input you can provide!
- -- 


I'm certainly not one who can advise on this. However, I would like at 
some point to be able to use FreeIPA for authentication. Perhaps you can 
ask about this on the FreeIPA Users list 
(https://www.redhat.com/mailman/listinfo/freeipa-users or 
gmane.linux.redhat.freeipa.user). I would think that some folks there 
would be very knowledgeable about such things.


--
-Eric 'shubes'


!DSPAM:4ca644b332711424712350!