El 2/12/19 a les 22:42, William Brown ha escrit: > > >> On 2 Dec 2019, at 18:46, Francesc Guasch <frankie@xxxxxxxxxxxxxxx> wrote: >> >> Then matching with that: >> >> Authen::Passphrase->from_rfc2307($password_ldap)->match($password); > > Hmmm you may want to consider using and ldap bind rather than a client side match of the hash content. It's a much more secure and long term supportable way of managing this, and resolves a number of security risks around userPassword attribute disclosure. > > https://metacpan.org/pod/Net::LDAP::Examples#BINDING > Absolutely. Thank you for pointing me to the doc. We do use binding by default, but we have some use cases where there is a legacy setup that only works with match. I have managed to use pbkdf2 and store the passwords properly with SHA-256. But I still have something missing. Usually the users entries are already there in the LDAP directory but we provide a small function to add users. My problem is we have to create a random salt and I don't know how to store it. Right now there is a static salt string using PBKDF2::Tiny my $pass="{PBKDF2_SHA256}" .derive_hex( 'SHA-256',$password, 'salt' ); ^^^^ Then I use this to add an entry in the attribute userPassword. But I don't know how to properly create this string with a random salt. What is the string format to store with PBKDF2 ? _______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
