[Fedora-directory-users] modify userPassword via perl-ldap?
Gordon Messmer
gmessmer at u.washington.edu
Wed Oct 25 20:59:04 UTC 2006
Justin Crawford wrote:
> This page offers some advice for creating SHA and SSHA passwords (which
> your directory is likely doing) using various languages:
> http://www.openldap.org/faq/data/cache/347.html
>
> You could use one of those snippets to do your own hashing prior to
> updating the userPassword attribute.
>
If I understand things correctly, it's probably best to set passwords
plain-text and let the server hash them for you. I believe that you
*must* do this if you want to use PassSync to sync passwords with AD.
e.g.:
dn: uid=user,ou=people,dc=example,dc=com
changetype: modify
replace: userPassword
userpassword: theNewPassword
If you don't specify a hash, the directory server should hash the
password on your behalf.
> You could also use one of those snippets in your verification routine:
> Generate a hash in perl using the same algorithm used by your directory,
> and compare the perl-generated hash to the one stored in the
> userPassword attribute. If the two hashes are the same, it is extremely
> probable (almost certain) that the passwords they obscure are the same.
> (Note to crypto geniuses: please be gentle if I am wrong ;)
>
For security purposes, no one should be able to see the userPassword
attribute. The proper way to validate a password is to search for the
user's entry in LDAP, save the DN of that entry, and then attempt to
bind as that DN using the password from the user. If the bind is
successful, then the password is correct.
More information about the 389-users
mailing list