Hash: SHA1

The module is nearing completion, and I'd like to ask for some
opinions on supported password formats.

Part of the module's goal is to provide an address book for users.
The LDAP server administrator can set down rights as to what parts of
the directory can be seen, and users can authenticate as themselves
against the LDAP server for this purpose.

That means that both vpopmail, and the LDAP server must both
understand the password field.  Because of this requirement, the
userPassword field from the inetOrgPerson schema is being used to
store the hashed password.

Another requirement is that the password be portable to other
authentication modules.  If one wishes to convert to another module,
and does not have plaintext passwords enabled, it should be possible
to convert the user's hashed password to the new module, even if it
requires some quick tweaks (eg. {SMD5} has the four byte salt at the
end, and is base64 encoded -- this could easily be reformatted)

Initially I had decided upon using the {SMD5} hash scheme, but this
requires that systems have MD5 support.  The next obvious choice is
the {CRYPT} scheme, however, OpenLDAP does not compile with this
feature enabled by default, and without it, the server cannot
authenticate clients.

So, to those of you with some experience with OpenLDAP, I'm looking
for some input on the optimal scheme (or schemes) to implement,
keeping in mind that the hashed password can (hopefully) be ported to
the other authentication modules if required, and the OpenLDAP server
must be able to authenticate against it.

The original module supported {MD5} and {CRYPT}, and that's what I'm
leaning towards here.

Thanks for any input you can provide!
- -- 
    Matt Brookings <m...@inter7.com>       GnuPG Key FAE0672C
    Software developer                     Systems technician
    Inter7 Internet Technologies, Inc.     (815)776-9465
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/


Reply via email to