Different algorithms for passwod encryption/hashing ?
Hi, I've just stumbled about the missing LDAPAuthPWType SSHA, which is the default algorithm used in OpenLDAP. Crypt and plain are supported in the ftp-proxy, but ssha is not, as far as I can see. Is there any chance for this being supported or any reason why this is not the case ? Thanks, JanUwe
On Wed, Jul 20, 2005 at 03:19:24PM +0200, ks.service.int2@ndr.de wrote:
Hi,
I've just stumbled about the missing LDAPAuthPWType SSHA, which is the default algorithm used in OpenLDAP. Crypt and plain are supported in the ftp-proxy, but ssha is not, as far as I can see.
Is there any chance for this being supported or any reason why this is not the case ?
No - don't use the manual password checks using LDAPAuthPWAttr and
LDAPAuthPWType. They are legacy code, required for openldap-1.x only!
Use "LDAPBindDN auto" instead to let the ldap server authenticate
using a ldap simple bind.
The proxy searches for $LDAPIdentifier=<USER> (e.g. "CN=foo") bellow
of DN specified with LDAPAuthDN (with fallback to LDAPBaseDN) and uses
the DN of the entry it finds to perform authenticated ldap bind.
For example - if ldap tree contains user 'foo' entry:
dn: uid=foo,ou=People,dc=example,dc=com
objectClass: posixAccount
uid: foo
[...]
use this settings:
LDAPBindDN auto
LDAPAuthDN dc=example,dc=com
LDAPIdentifier uid
LDAPObjectClass posixAccount
LDAPServer localhost
UserAuthType ldap
# in case you want to store per user settings in ldap also:
#LDAPBaseDN dc=example,dc=com
To authenticate the user 'foo' the proxy does a search like this first:
ldapsearch -x -h localhost -s sub -b "dc=example,dc=com" \
"(&(ObjectClass=posixAccount)(uid=foo))" "uid"
anonymously and used the DN of the entry it finds here in a ldap
authenticated bind ("uid=foo,ou=People,dc=example,dc=com" in this
case). If this bind is successfull, the authentication is OK.
In case you ldap server is configured to disallow anonymous searches,
you can specify a dn & pwd via LDAPPreBindDN & LDAPPreBindPW for the
user-dn search.
Bye,
Marius.
--
° --- Marius Tomaschewski
On Wed, Jul 20, 2005 at 06:34:49PM +0200, Marius T. wrote:
On Wed, Jul 20, 2005 at 03:19:24PM +0200, ks.service.int2@ndr.de wrote:
Hi,
I've just stumbled about the missing LDAPAuthPWType SSHA, which is the default algorithm used in OpenLDAP. Crypt and plain are supported in the ftp-proxy, but ssha is not, as far as I can see.
Is there any chance for this being supported or any reason why this is not the case ?
No - don't use the manual password checks using LDAPAuthPWAttr and LDAPAuthPWType. They are legacy code, required for openldap-1.x only!
Use "LDAPBindDN auto" instead to let the ldap server authenticate using a ldap simple bind.
Using this, the proxy just uses the algorithms supported by the server
in a ldap_simple_bind call. Other binds, like ldap_sasl_bind are not
supported by the proxy.
Bye,
Marius.
--
° --- Marius Tomaschewski
participants (2)
-
ks.service.int2@ndr.de
-
Marius Tomaschewski