Menu
▾
▴
python-ldap-dev
|
From: Jan-Frode M. <jan...@ta...> - 2009-03-07 23:50:23
|
I have a script that tries to sync a userdatabase with
plaintext username/password in mysql, to a Centos Directory
Server. Currently I've been pushing the passwords into the
directory by first creating the SSHA1 hash in python and
store '{SSHA}' + encode-string in the password field.
But, it occurred to me that I'm not fully sure what I'm doing
when creating the SSHA1 hash, so it would be nice to have
the directory server do the hashing instead. I've found the
method:
passwd_s(user, oldpw, newpw, [serverctrls=None, [clientctrls=None]])
but are there any way to use that when I don't know the plaintext
'oldpw' ?
-jf
|
|
From: Michael S. <mi...@st...> - 2009-03-09 00:08:55
|
Jan-Frode Myklebust wrote:
> I have a script that tries to sync a userdatabase with
> plaintext username/password in mysql, to a Centos Directory
> Server. Currently I've been pushing the passwords into the
> directory by first creating the SSHA1 hash in python and
> store '{SSHA}' + encode-string in the password field.
>
> But, it occurred to me that I'm not fully sure what I'm doing
> when creating the SSHA1 hash,
If the password is usable afterwards there's nothing wrong with
client-side password hashing. The salt should be at least 4 bytes long.
> so it would be nice to have
> the directory server do the hashing instead. I've found the
> method:
>
> passwd_s(user, oldpw, newpw, [serverctrls=None, [clientctrls=None]])
>
> but are there any way to use that when I don't know the plaintext
> 'oldpw' ?
Simply use None for oldpw.
Ciao, Michael.
|
|
From: Zhang H. <zhb...@gm...> - 2009-03-09 09:41:14
|
Michael Ströder wrote: > Yes. Other LDAP servers might have a different configuration. Also some > servers set other password attributes as well (e.g. the smbk5pwd overlay > for OpenLDAP sets Samba password attributes and the Kerberos keys for a > heimdal KDC). > > Ciao, Michael. > > Thanks Michael. :) How can i set DEFAULT password-hash in slapd.conf? such as MD5 or whatever. -- Best regards. Zhang Huangbin - Open Source Mail Server Solution for RHEL/CentOS 5.x: http://code.google.com/p/iredmail/ |
|
From: Michael S. <mi...@st...> - 2009-03-09 10:38:00
|
Zhang Huangbin wrote:
> Michael Ströder wrote:
>> Yes. Other LDAP servers might have a different configuration. Also some
>> servers set other password attributes as well (e.g. the smbk5pwd overlay
>> for OpenLDAP sets Samba password attributes and the Kerberos keys for a
>> heimdal KDC).
>
> How can i set DEFAULT password-hash in slapd.conf? such as MD5 or whatever.
That's more a question for the openldap-software mailing list. Since you
already found the password-hash parameter you could simply use it:
password-hash {SSHA}
Ciao, Michael.
|
|
From: Jan-Frode M. <jan...@ta...> - 2009-03-09 11:05:41
|
On 2009-03-09, Michael Ströder <mi...@st...> wrote:
> >
> > But, it occurred to me that I'm not fully sure what I'm doing
> > when creating the SSHA1 hash,
>
> If the password is usable afterwards there's nothing wrong with
> client-side password hashing. The salt should be at least 4 bytes long.
Still, I'm uncertain how f.ex. character encodings will/should be
handled, so it seems safer to let the directory server handle both the
hashing and verification.
>
> Simply use None for oldpw.
>
It didn't like None:
Traceback (most recent call last):
File "./update-ldap-from-atmail.py", line 166, in ?
con.passwd_s( dn, None, mailpassword )
File "/usr/lib64/python2.4/site-packages/ldap/ldapobject.py", line 330, in passwd_s
msgid = self.passwd(user,oldpw,newpw,serverctrls,clientctrls)
File "/usr/lib64/python2.4/site-packages/ldap/ldapobject.py", line 327, in passwd
return self._ldap_call(self._l.passwd,user,oldpw,newpw,EncodeControlTuples(serverctrls),EncodeControlTuples(clientctrls))
File "/usr/lib64/python2.4/site-packages/ldap/ldapobject.py", line 94, in _ldap_call
result = func(*args,**kwargs)
TypeError: argument 2 must be string or read-only buffer, not None
but "" seems to work (after I set up SSL to get around the
ldap.CONFIDENTIALITY_REQUIRED). Thanks!
-jf
|
|
From: Michael S. <mi...@st...> - 2009-03-09 11:28:01
|
Jan-Frode Myklebust wrote: > On 2009-03-09, Michael Ströder <mi...@st...> wrote: >>> But, it occurred to me that I'm not fully sure what I'm doing >>> when creating the SSHA1 hash, >> If the password is usable afterwards there's nothing wrong with >> client-side password hashing. The salt should be at least 4 bytes long. > > Still, I'm uncertain how f.ex. character encodings will/should be > handled, so it seems safer to let the directory server handle both the > hashing and verification. For LDAPv3 you should pass UTF-8 to the python-ldap functions/methods or before hashing the password. (In theory one has to use SASLprep before the UTF-8 encoding but in most cases this is the same). Ciao, Michael. |
|
From: Zhang H. <zhb...@gm...> - 2009-03-09 01:50:35
|
Michael Ströder wrote: >> so it would be nice to have >> the directory server do the hashing instead. I've found the >> method: >> >> passwd_s(user, oldpw, newpw, [serverctrls=None, [clientctrls=None]]) >> >> but are there any way to use that when I don't know the plaintext >> 'oldpw' ? >> > > Simply use None for oldpw. How can i specfy hash mechanism in passwd_s()? like SSHA, MD5. It seems use default setting of ldap server (password-hash in openldap slapd.conf), right? -- Best regards. Zhang Huangbin - Open Source Mail Server Solution for RHEL/CentOS 5.x: http://code.google.com/p/iredmail/ |
|
From: Michael S. <mi...@st...> - 2009-03-09 09:27:23
|
Zhang Huangbin wrote: > Michael Ströder wrote: >>> so it would be nice to have >>> the directory server do the hashing instead. I've found the >>> method: >>> >>> passwd_s(user, oldpw, newpw, [serverctrls=None, [clientctrls=None]]) >>> >>> but are there any way to use that when I don't know the plaintext >>> 'oldpw' ? >>> >> >> Simply use None for oldpw. > > How can i specfy hash mechanism in passwd_s()? like SSHA, MD5. You don't. That's completely configured at the server's side. > It seems use default setting of ldap server (password-hash in openldap > slapd.conf), Yes. Other LDAP servers might have a different configuration. Also some servers set other password attributes as well (e.g. the smbk5pwd overlay for OpenLDAP sets Samba password attributes and the Kerberos keys for a heimdal KDC). Ciao, Michael. |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X