El 2/12/19 a les 22:42, William Brown ha escrit:
> On 2 Dec 2019, at 18:46, Francesc Guasch <frankie(a)telecos.upc.edu> wrote:
>
> Then matching with that:
>
> Authen::Passphrase->from_rfc2307($password_ldap)->match($password);
Hmmm you may want to consider using and ldap bind rather than a client side match of the
hash content. It's a much more secure and long term supportable way of managing this,
and resolves a number of security risks around userPassword attribute disclosure.
https://metacpan.org/pod/Net::LDAP::Examples#BINDING
Absolutely. Thank you for pointing me to the doc.
We do use binding by default, but we have some use cases
where there is a legacy setup that only works with match.
I have managed to use pbkdf2 and store the passwords properly
with SHA-256. But I still have something missing.
Usually the users entries are already there in the LDAP directory
but we provide a small function to add users. My problem is
we have to create a random salt and I don't know how to store it.
Right now there is a static salt string using PBKDF2::Tiny
my $pass="{PBKDF2_SHA256}"
.derive_hex( 'SHA-256',$password, 'salt' );
^^^^
Then I use this to add an entry in the attribute userPassword.
But I don't know how to properly create this string with a
random salt.
What is the string format to store with PBKDF2 ?