Matt Brookings wrote:
Hash: SHA1

The module is nearing completion, and I'd like to ask for some
opinions on supported password formats.

Part of the module's goal is to provide an address book for users.
The LDAP server administrator can set down rights as to what parts of
the directory can be seen, and users can authenticate as themselves
against the LDAP server for this purpose.

That means that both vpopmail, and the LDAP server must both
understand the password field.  Because of this requirement, the
userPassword field from the inetOrgPerson schema is being used to
store the hashed password.

Another requirement is that the password be portable to other
authentication modules.  If one wishes to convert to another module,
and does not have plaintext passwords enabled, it should be possible
to convert the user's hashed password to the new module, even if it
requires some quick tweaks (eg. {SMD5} has the four byte salt at the
end, and is base64 encoded -- this could easily be reformatted)

Initially I had decided upon using the {SMD5} hash scheme, but this
requires that systems have MD5 support.  The next obvious choice is
the {CRYPT} scheme, however, OpenLDAP does not compile with this
feature enabled by default, and without it, the server cannot
authenticate clients.

So, to those of you with some experience with OpenLDAP, I'm looking
for some input on the optimal scheme (or schemes) to implement,
keeping in mind that the hashed password can (hopefully) be ported to
the other authentication modules if required, and the OpenLDAP server
must be able to authenticate against it.

The original module supported {MD5} and {CRYPT}, and that's what I'm
leaning towards here.

Thanks for any input you can provide!
- --

I'm certainly not one who can advise on this. However, I would like at some point to be able to use FreeIPA for authentication. Perhaps you can ask about this on the FreeIPA Users list ( or gmane.linux.redhat.freeipa.user). I would think that some folks there would be very knowledgeable about such things.

-Eric 'shubes'


Reply via email to