Operating System - Tru64 Unix
cancel
Showing results for 
Search instead for 
Did you mean: 

LDAP support for different password hashes

SOLVED
Go to solution
Graham Allan
Advisor

LDAP support for different password hashes

I'm wondering if ldapcd on Tru64 5.1B (we run PK6) has any support for password hashes other than crypt. It's a minor irritation to us that we have to keep all our passwords in crypt format rather than something slightly more secure...

(I know we can use different hashes when running enhanced security, but here I am just talking about basic security with an ldap accounts backend - we need compatibility with other OSes).

I haven't seen anything documented, but running "strings" against /usr/sbin/ldapcd does bring up an occurrence of "{SHA}". Does this imply it might work? My casual attempt to have it work, didn't. But someone here is certain to know more!

Thanks for any feedback,

Graham
2 REPLIES
Ann Majeske
Honored Contributor
Solution

Re: LDAP support for different password hashes

Looking at the source code, there is a check if the encrypted password length is 28 characters the ldap SIA mechanism assumes that the password is encrypted using SHA with base64 encoding. But, I'm pretty sure this is in a section of code that is not used. I don't see a way for creating the SHA encrypted passwords in the ldap mechanism, either. So it's probably just a leftover reference from a possible feature that was never developed. I could find no references in the documentation that this feature is allowed either.

Ann
Graham Allan
Advisor

Re: LDAP support for different password hashes

Thanks for checking the source code for me! It's too bad that the code is "almost there" but can't be used, but I guess this is something very unlikely to get changed at this point in time, since it has never been advertised as working. I guess we could check into using SHA only for users who don't need to access Tru64...

Getting the hashes into LDAP wouldn't be much of a problem since we tend to use external tools to manage the directory (in our case https://gna.org/projects/smbldap-tools/)