Re: [vchkpw] Call for input on OpenLDAP authentication module

2010-10-04 Thread Shane Chrisp
On 02/10/10 04:01, Matt Brookings wrote:
 Initially I had decided upon using the {SMD5} hash scheme, but this
 requires that systems have MD5 support.  The next obvious choice is
 the {CRYPT} scheme, however, OpenLDAP does not compile with this
 feature enabled by default, and without it, the server cannot
 authenticate clients.

 So, to those of you with some experience with OpenLDAP, I'm looking
 for some input on the optimal scheme (or schemes) to implement,
 keeping in mind that the hashed password can (hopefully) be ported to
 the other authentication modules if required, and the OpenLDAP server
 must be able to authenticate against it.

 The original module supported {MD5} and {CRYPT}, and that's what I'm
 leaning towards here.

 Thanks for any input you can provide!

I do not think it is really going to matter too much. You could always
go down the path
of letting the server do the hashing for you, much like pam_ldap does.
Otherwise I
would be happy with MD5, though we also use SSHA .

Shane

!DSPAM:4ca97f9632711015916219!



[vchkpw] Call for input on OpenLDAP authentication module

2010-10-01 Thread Matt Brookings
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

The module is nearing completion, and I'd like to ask for some
opinions on supported password formats.

Part of the module's goal is to provide an address book for users.
The LDAP server administrator can set down rights as to what parts of
the directory can be seen, and users can authenticate as themselves
against the LDAP server for this purpose.

That means that both vpopmail, and the LDAP server must both
understand the password field.  Because of this requirement, the
userPassword field from the inetOrgPerson schema is being used to
store the hashed password.

Another requirement is that the password be portable to other
authentication modules.  If one wishes to convert to another module,
and does not have plaintext passwords enabled, it should be possible
to convert the user's hashed password to the new module, even if it
requires some quick tweaks (eg. {SMD5} has the four byte salt at the
end, and is base64 encoded -- this could easily be reformatted)

Initially I had decided upon using the {SMD5} hash scheme, but this
requires that systems have MD5 support.  The next obvious choice is
the {CRYPT} scheme, however, OpenLDAP does not compile with this
feature enabled by default, and without it, the server cannot
authenticate clients.

So, to those of you with some experience with OpenLDAP, I'm looking
for some input on the optimal scheme (or schemes) to implement,
keeping in mind that the hashed password can (hopefully) be ported to
the other authentication modules if required, and the OpenLDAP server
must be able to authenticate against it.

The original module supported {MD5} and {CRYPT}, and that's what I'm
leaning towards here.

Thanks for any input you can provide!
- -- 
/*
Matt Brookings m...@inter7.com   GnuPG Key FAE0672C
Software developer Systems technician
Inter7 Internet Technologies, Inc. (815)776-9465
*/
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkymPhcACgkQIwet2/rgZywgpACggRLVreT65fO267bBNp94RfhA
Z3wAnjIpq0fnAO6sP/FHhAAd8f0j4pUN
=fK4S
-END PGP SIGNATURE-