HPE Community
Operating System - Tru64 Unix
1753523 Members
6096 Online
108795 Solutions
New Discussion юеВ

LDAP support for different password hashes

 
SOLVED
Go to solution
Graham Allan
Advisor

тАО11-23-2008 10:55 AM

тАО11-23-2008 10:55 AM

LDAP support for different password hashes

I'm wondering if ldapcd on Tru64 5.1B (we run PK6) has any support for password hashes other than crypt. It's a minor irritation to us that we have to keep all our passwords in crypt format rather than something slightly more secure...

(I know we can use different hashes when running enhanced security, but here I am just talking about basic security with an ldap accounts backend - we need compatibility with other OSes).

I haven't seen anything documented, but running "strings" against /usr/sbin/ldapcd does bring up an occurrence of "{SHA}". Does this imply it might work? My casual attempt to have it work, didn't. But someone here is certain to know more!

Thanks for any feedback,

Graham
0 Kudos
2 REPLIES 2
Ann Majeske
Honored Contributor

тАО11-24-2008 09:51 AM

тАО11-24-2008 09:51 AM

Solution

Re: LDAP support for different password hashes

Looking at the source code, there is a check if the encrypted password length is 28 characters the ldap SIA mechanism assumes that the password is encrypted using SHA with base64 encoding. But, I'm pretty sure this is in a section of code that is not used. I don't see a way for creating the SHA encrypted passwords in the ldap mechanism, either. So it's probably just a leftover reference from a possible feature that was never developed. I could find no references in the documentation that this feature is allowed either.

Ann
Graham Allan
Advisor

тАО11-24-2008 10:35 AM

тАО11-24-2008 10:35 AM

Re: LDAP support for different password hashes

Thanks for checking the source code for me! It's too bad that the code is "almost there" but can't be used, but I guess this is something very unlikely to get changed at this point in time, since it has never been advertised as working. I guess we could check into using SHA only for users who don't need to access Tru64...

Getting the hashes into LDAP wouldn't be much of a problem since we tend to use external tools to manage the directory (in our case https://gna.org/projects/smbldap-tools/)

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.