Hi Problem Statement: If I have the following ldif executed by Directory Manager: dn: uid=jsmith,ou=People,dc=mycompany changetype: modify replace: userPassword userPassword: 5A80f5A80FFE3A51BA71A0014F88F0204995334D9849DC02E1A7E06dd171
This will get transmitted in clear text (via ssl, if enabled) to the server if done remotely and will be subject to any password policy set.
If however the ldif looks like: dn: uid=smith,ou=People,dc=mycompany changetype: modify replace: userPassword userPassword: {SSHA}Jvze3knNF165Msadf1vfLJTuhKm9wHoRt
It is not subject to the password policy and stil gets changed.
doing a ldapsearch will show the following: # jsmith, People, mycompany dn: uid=jsmith,ou=People,dc=mycompany uid: jsmith cn: John Smith userPassword:: e1NTSEF9SnZ6ZTNrbk5GMTY1TU10MXZ5TEoyVHVoS205d0hvUnQ=
Questions: Is the difference in behaviour when using a clear text password as opposed to a {SSHA} password intentional? Granted that it gets executed as Directory Manager.
Is there any way apart from looking at : dn: cn=config passwordStorageScheme: ssha
to determine what the encryption will be. Or put differently how can I be sure that the string I am seeing has been properly encrypted according the set standard?
Best Regards
________________________________________________________________________ In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses.
________________________________________________________________________
Gerrard Geldenhuis wrote:
Hi
Problem Statement:
If I have the following ldif executed by Directory Manager:
dn: uid=jsmith,ou=People,dc=mycompany
changetype: modify
replace: userPassword
userPassword: 5A80f5A80FFE3A51BA71A0014F88F0204995334D9849DC02E1A7E06dd171
This will get transmitted in clear text (via ssl, if enabled) to the server if done remotely and will be subject to any password policy set.
If however the ldif looks like:
dn: uid=smith,ou=People,dc=mycompany
changetype: modify
replace: userPassword
userPassword: {SSHA}Jvze3knNF165Msadf1vfLJTuhKm9wHoRt
It is not subject to the password policy and stil gets changed.
doing a ldapsearch will show the following:
# jsmith, People, mycompany
dn: uid=jsmith,ou=People,dc=mycompany
uid: jsmith
cn: John Smith
userPassword:: e1NTSEF9SnZ6ZTNrbk5GMTY1TU10MXZ5TEoyVHVoS205d0hvUnQ=
Questions:
Is the difference in behaviour when using a clear text password as opposed to a {SSHA} password intentional?
Yes.
Granted that it gets executed as Directory Manager.
And that is why it goes through. Because you are using Directory Manager, the directory server "assumes you know what you are doing".
Is there any way apart from looking at :
dn: cn=config
passwordStorageScheme: ssha
to determine what the encryption will be. Or put differently how can I be sure that the string I am seeing has been properly encrypted according the set standard?
Only set userPassword using clear text. That way you never have to worry about whether or not it has been properly encrypted. Never send a pre-encrypted password to the server. Using pre-encrypted passwords will break things like windows sync, kerberos, sasl/digest-md5 - anything that must have the clear text password.
Best Regards
In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses.
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
On 9/22/2010 10:32 AM, Gerrard Geldenhuis wrote:
Hi
Problem Statement:
If I have the following ldif executed by Directory Manager:
dn: uid=jsmith,ou=People,dc=mycompany
changetype: modify
replace: userPassword
userPassword: 5A80f5A80FFE3A51BA71A0014F88F0204995334D9849DC02E1A7E06dd171
This will get transmitted in clear text (via ssl, if enabled) to the server if done remotely and will be subject to any password policy set.
If however the ldif looks like:
dn: uid=smith,ou=People,dc=mycompany
changetype: modify
replace: userPassword
userPassword: {SSHA}Jvze3knNF165Msadf1vfLJTuhKm9wHoRt
It is not subject to the password policy and stil gets changed.
[snip]
Questions:
Is the difference in behaviour when using a clear text password as opposed to a {SSHA} password intentional? Granted that it gets executed as Directory Manager.
I would think that the difference is not only intentional, but absolutely necessary. SSHA is a *hash*; it is not the password. There's no way to convert that hash back to a password to determine if the original data complied with security policies.
389-users@lists.fedoraproject.org