Justin Crawford wrote: > This page offers some advice for creating SHA and SSHA passwords (which > your directory is likely doing) using various languages: > http://www.openldap.org/faq/data/cache/347.html > > You could use one of those snippets to do your own hashing prior to > updating the userPassword attribute. > If I understand things correctly, it's probably best to set passwords plain-text and let the server hash them for you. I believe that you *must* do this if you want to use PassSync to sync passwords with AD. e.g.: dn: uid=user,ou=people,dc=example,dc=com changetype: modify replace: userPassword userpassword: theNewPassword If you don't specify a hash, the directory server should hash the password on your behalf. > You could also use one of those snippets in your verification routine: > Generate a hash in perl using the same algorithm used by your directory, > and compare the perl-generated hash to the one stored in the > userPassword attribute. If the two hashes are the same, it is extremely > probable (almost certain) that the passwords they obscure are the same. > (Note to crypto geniuses: please be gentle if I am wrong ;) > For security purposes, no one should be able to see the userPassword attribute. The proper way to validate a password is to search for the user's entry in LDAP, save the DN of that entry, and then attempt to bind as that DN using the password from the user. If the bind is successful, then the password is correct.
