- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: ldapux against openldap
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-03-2012 01:30 AM
08-03-2012 01:30 AM
ldapux against openldap
Hello,
we have authentication and authorization of LDAP users working using ldapux (5.01) against Openldap (2.4.23).
We are not able to force the password policy (set in /etc/default/security) to users when they are changing the password using passwd command.
Another problem is that the passwd command stores passwords on ldap in paintext. Does anybody know how to force them to store is in at least hash format?
R.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-05-2012 05:05 AM
08-05-2012 05:05 AM
Re: ldapux against openldap
With LDAP authentication, the LDAP client host won't know the history of the password, so it cannot enforce any requirements like "do not reuse X previous passwords". Only the LDAP server can do that. Check out the slapo-ppolicy overlay for the OpenLDAP server (see man slapo-ppolicy).
Regarding your plaintext password issue:
From the LDAP-UX B.05.01 Release Notes (emphasis mine):
------------------
2.7.10 Clear text passwords
login(1), passwd(1) and ldappasswd(1) transmit passwords in clear text (unencrypted) over the network unless SSL, TLS, or SASL Digest-MD5 authentication is enabled with setup. To support SASL/DIGEST-MD5, some directory server products (including HP-UX Directory Server) store the password in clear text. By default, when using customized install mode, SSL and SASL/DIGEST-MD5 authentication is disabled. Using SSL or TLS (a default when using guided installation mode) allows passwords to be stored in any format on the directory server (including the Salted Secure Hash Algorithm, SSHA), and also protects password transmission over the network.
------------------
The SASL/DIGEST-MD5 authentication requires the directory server to have access to the password in plaintext form, in order to verify the correctness of the digest produced by the client. So, if you use this authentication method, the directory server must store the password either as plaintext, or encrypted in a reversible way (= equivalent to plaintext if the encryption key is available).
If you are not using SASL/DIGEST-MD5, then you should check which password hash algorithm is used by the OpenLDAP server when the "LDAP Password Modify Extended Operation" is used. If you are using a slapd.conf file, the configuration keyword is password-hash; if you are using dynamic configuration, the attribute is olcPasswordHash, located in either olcDatabase=frontend,cn=config (= a global setting) or olcDatabase=<name of your LDAP database>,cn=config (= specific to that particular OpenLDAP database).
The preferred password hash choice is {SSHA}. If you need to use the NIS/LDAP Gateway functionality of LDAP-UX for authentication, you'll have to use {CRYPT} instead. In that case, you should pay attention to another OpenLDAP server configuration setting: password-crypt-salt-format (slapd.conf) or olcPasswordCryptSaltFormat (dynamic configuration). The value of this setting determines the format of the salt field submitted to the standard crypt(3) function of the LDAP server OS. The traditional crypt(3) format, which is required by most HP-UX versions, would be achievable with setting "%.2s". If your HP-UX version is 11.31 and the optional support for long passwords is installed, you might try "$6$%.12s$" for SHA-512 style password hashes.
(The use of SHA-512 requires the crypt() implementation of the LDAP server to support the SHA-512 format, and if you authenticate via the NIS/LDAP Gateway, then the clients will need the SHA-512 support too.)