enable sha password

Support for security such as Firewalls and securing linux
Post Reply
light86
Posts: 72
Joined: 2015/03/29 15:08:36

enable sha password

Post by light86 » 2015/11/05 18:47:47

Hi every one I have configured an openldap in centos 7
it work and i can create users but the password is clear version in file configuration
(when i try to have sha password in openldap password utiliy) ,the ldap bind don't work
Please how i can enable sha password
Thank you

aks
Posts: 2859
Joined: 2014/09/20 11:22:14

Re: enable sha password

Post by aks » 2015/11/05 18:58:24

I'm not sure what you mean.

If you have {encryption_string_like_ssha} as an attribute before the password, then it's encrypted in some manner.
As an alternative, use a TLS tunnel and move encryption to the socket (this is ostensibly not the best thing but it'll work).

light86
Posts: 72
Joined: 2015/03/29 15:08:36

Re: enable sha password

Post by light86 » 2015/11/05 19:39:13

hi thank you
what i mean is in the file configuration of openldap i can set the rootdn password as text clear or sha password
When i set the rootdn password as clear password the openldap work but i want set rootdn password as sha password ,i can't not create users
Thank you

aks
Posts: 2859
Joined: 2014/09/20 11:22:14

Re: enable sha password

Post by aks » 2015/11/06 17:12:33


light86
Posts: 72
Joined: 2015/03/29 15:08:36

Re: enable sha password

Post by light86 » 2015/11/06 18:40:41

Hi thank you
I generate the password ({SSHA}) with slappasswd utiliy
Thank you

aks
Posts: 2859
Joined: 2014/09/20 11:22:14

Re: enable sha password

Post by aks » 2015/11/07 15:32:24

In that case, see the links posted.

light86
Posts: 72
Joined: 2015/03/29 15:08:36

Re: enable sha password

Post by light86 » 2015/11/07 16:24:48

Hi thank you
i have seen the link
But I have still the problem of bind authentification when the password is hashed
Thank you

aks
Posts: 2859
Joined: 2014/09/20 11:22:14

Re: enable sha password

Post by aks » 2015/11/08 14:57:32

OpenLDAP supports tcp_wrappers - have you placed the relevant hosts in /etc/hosts.allow|deny? And check OpenLDAP is actually listening on the correct interface(s).
Bind authentication - so anonymous bind is disabled? Are you doing simple authentication?
OpenLDAP supports any different password hashing schemes - you can use password-hash to change the hashing algorithm (I think the default one is SSHA).
The userpassword attribute is (I think by default) base64 encoded (it usually has :: before the hash), so you need to echo that string through base64 -d to "un-base64" the attribute, then you can see the hashing algorithm used.
If you send hashed passwords - your password policy may be configured to reject them - check. Some info on password policy: http://www.openldap.org/lists/openldap- ... 00002.html
Are your clients using SSL/TLS?
This would probably be useful to you: http://www.openldap.org/faq/data/cache/347.html
By the way, how are testing (I'd recommend ldapsearch).
Some hints on how to enable hashing (hopefully theuy'll show you where you went wrong):
http://serverfault.com/questions/571928 ... r-openldap
http://xacmlinfo.org/2015/06/25/enable- ... -openldap/

light86
Posts: 72
Joined: 2015/03/29 15:08:36

Re: enable sha password

Post by light86 » 2015/11/08 15:02:01

Hi thank you
What i notice that is the password is clear all ldap command work
i have the same of problem of 389-ldap-server
When i have clear password all work
Thank you

Post Reply

Return to “CentOS 7 - Security Support”