OpenLDAP Authentication

Is there any way to define your own encryption/decryption rather than having a plain text password store? Can you have your own algorithm and run that separately as part of the process? I am new and the documentation online although detailed does not specify any concrete ways of doing this. This is specific to OpenLDAP and the current 开发者_Go百科method used for authentication.

To be able to have the server hash the password for you by default you have to add a password policy overlay and a directive.

If you are using the online cn=config method add an overlay sub entry to your olcDatabase object.

dn: olcOverlay={0}ppolicy,olcDatabase={2}hdb,cn=config
objectClass: olcPPolicyConfig
olcOverlay: {0}ppolicy
olcPPolicyHashCleartext: TRUE

Slapd.conf method:

database bdb
suffix "dc=example,dc=com"
...
# invokes password policies for this DIT only
overlay ppolicy
ppolicy_hash_cleartext

Then when you add a new user with the userpassword attribute in plain text it will store the password hashed. I believe the default is a salted sha1 which is pretty secure. You should also look into restricting access to the userpassword attribute.

olcAccess: to attrs=userPassword by self write by * auth

apache directory studio can accomplish this for you

This ldap browser detects the userpassword OID and provides an interface to hash the password.

suchas: userPassword:: e01ENX1Lc25MZmNBclBBQ0Q2M0NKamxTYll3PT0=

(it just works, because it's built in) Read the Openldap readme for more info: This directory contains native slapd plugins for password mechanisms that are not actively supported by the project. Currently this includes the Kerberos, Netscape MTA-MD5 and RADIUS password mechanisms. The Apache APR1 MD5 and BSD/Paul Henning Kamp MD5 mechanisms are also included.

To use the Kerberos plugin, add:

moduleload pw-kerberos.so

to your slapd configuration file.

yada yada yada

You should never, ever store passwords in reversible encryption if you use them for authentication!

You should store passwords with a one way hash function: MD5, SHA1, SHA256. If you do not absolutely require storing it in some old, specific format, you should always salt them. Salted SHA1 is the OpenLDAP good default.

The problem is, that you need to use LDAP Extended Operation to change the password, not the regular ldapmodify update, for it to work properly. Best to use ppolicy to actually enforce setting the password this way. You may want to do password quality checking and ageing if you're at it.