Justin Crawford wrote:
This page offers some advice for creating SHA and SSHA passwords (which
your directory is likely doing) using various languages:
http://www.openldap.org/faq/data/cache/347.html
You could use one of those snippets to do your own hashing prior to
updating the userPassword attribute.
If I understand things correctly, it's probably best to set passwords
plain-text and let the server hash them for you. I believe that you
*must* do this if you want to use PassSync to sync passwords with AD.
e.g.:
dn: uid=user,ou=people,dc=example,dc=com
changetype: modify
replace: userPassword
userpassword: theNewPassword
If you don't specify a hash, the directory server should hash the
password on your behalf.
You could also use one of those snippets in your verification routine:
Generate a hash in perl using the same algorithm used by your directory,
and compare the perl-generated hash to the one stored in the
userPassword attribute. If the two hashes are the same, it is extremely
probable (almost certain) that the passwords they obscure are the same.
(Note to crypto geniuses: please be gentle if I am wrong ;)
For security purposes, no one should be able to see the userPassword
attribute. The proper way to validate a password is to search for the
user's entry in LDAP, save the DN of that entry, and then attempt to
bind as that DN using the password from the user. If the bind is
successful, then the password is correct.
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
