Skip to content
Snippets Groups Projects
Commit 1b24c288 authored by Quanah Gibson-Mount's avatar Quanah Gibson-Mount
Browse files

Sync with head

parent 7dc122a9
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
doc/guide/admin/security.sdf
+ 36
31
View file @ 1b24c288
...@@ -173,35 +173,51 @@ mechanism. The {{SECT:Using SASL}} section discusses the use of SASL. ...@@ -173,35 +173,51 @@ mechanism. The {{SECT:Using SASL}} section discusses the use of SASL.
H2: Password Storage H2: Password Storage
LDAP passwords are normally stored in the {{userPassword}} attribute. LDAP passwords are normally stored in the {{userPassword}} attribute.
{{REF:RFC4519}} specifies that passwords are not stored in encrypted form, {{REF:RFC4519}} specifies that passwords are not stored in encrypted
but this can create an unwanted security exposure so {{slapd}} provides (or hashed) form. This allows a wide range of password-based
several options for the administrator to choose from. authentication mechanisms, such as {{EX:DIGEST-MD5}} to be used.
This is also the most interoperable storage scheme.
However, it may be desirable to store a hash of password instead.
{{slapd}}(8) supports a variety of storage schemes for the administrator
to choose from.
Note: Values of password attributes, regardless of storage scheme
used, should be protected as if they were clear text. Hashed
passwords are subject to {{dictionary attacks}} and {{brute-force
attacks}}.
The {{userPassword}} attribute is allowed to have more than one value, The {{userPassword}} attribute is allowed to have more than one value,
and it is possible for each value to be stored in a different form. and it is possible for each value to be stored in a different form.
During authentication, {{slapd}} will iterate through the values During authentication, {{slapd}} will iterate through the values
until it finds one that matches the offered password or until it until it finds one that matches the offered password or until it
runs out of values to inspect. The storage scheme is stored as a prefix runs out of values to inspect. The storage scheme is stored as a prefix
on the value, so a Unix {{crypt}}-style password might look like this: on the value, so a hashed password using the Salted SHA1 ({{EX:SSHA}})
scheme looks like:
> userPassword: {CRYPT}.7D8U/PCF00Hw > userPassword: {SSHA}DkMTwBl+a/3DQTxCYEApdUtNXGgdUac3
In general, it is safest to store passwords in a salted hashed format The advantage of hashed passwords is that an attacker which
like SSHA. This makes it very hard for an attacker to derive passwords discovers the hash does not have direct access to the actual password.
from stolen backups or by obtaining access to the on-disk {{slapd}} Unfortunately, as dictionary and brute force attacks are generally
database. quite easy for attackers to successfully mount, this advantage is
marginal at best (this is why all modern Unix systems use shadow
password files).
The disadvantage of hashed storage is that it prevents the use of some The disadvantages of hashed storage is that they are non-standard, may
authentication mechanisms such as {{EX:DIGEST-MD5}}. cause interoperability problem, and generally preclude the use
of stronger than Simple (or SASL/PLAIN) password-based authentication
mechanisms such as {{EX:DIGEST-MD5}}.
H3: CLEARTEXT password storage scheme H3: SSHA password storage scheme
Cleartext passwords can be stored directly in the {{userPassword}} This is the salted version of the SHA scheme. It is believed to be the
attribute, or can have the '{CLEARTEXT}' prefix. These two values are most secure password storage scheme supported by {{slapd}}.
equivalent:
> userPassword: secret These values represent the same password:
> userPassword: {CLEARTEXT}secret
> userPassword: {SSHA}DkMTwBl+a/3DQTxCYEApdUtNXGgdUac3
> userPassword: {SSHA}d0Q0626PSH9VUld7yWpR0k6BlpQmtczb
H3: CRYPT password storage scheme H3: CRYPT password storage scheme
...@@ -218,9 +234,8 @@ transferred to or from an existing Unix password file without having ...@@ -218,9 +234,8 @@ transferred to or from an existing Unix password file without having
to know the cleartext form. Both forms of {{crypt}} include salt so to know the cleartext form. Both forms of {{crypt}} include salt so
they have some resistance to dictionary attacks. they have some resistance to dictionary attacks.
Note: Since this scheme uses the operating system's {{crypt(3)}}
Note: Since this scheme uses the operation system's {{crypt(3)}} hash function, hash function, it is therefore operating system specific.
it is therefore operation system specific.
H3: MD5 password storage scheme H3: MD5 password storage scheme
...@@ -251,16 +266,6 @@ of salt leaves the scheme exposed to dictionary attacks. ...@@ -251,16 +266,6 @@ of salt leaves the scheme exposed to dictionary attacks.
> userPassword: {SHA}5en6G6MezRroT3XKqkdPOmY/BfQ= > userPassword: {SHA}5en6G6MezRroT3XKqkdPOmY/BfQ=
H3: SSHA password storage scheme
This is the salted version of the SHA scheme. It is believed to be the
most secure password storage scheme supported by {{slapd}}.
These values represent the same password:
> userPassword: {SSHA}DkMTwBl+a/3DQTxCYEApdUtNXGgdUac3
> userPassword: {SSHA}d0Q0626PSH9VUld7yWpR0k6BlpQmtczb
H3: SASL password storage scheme H3: SASL password storage scheme
This is not really a password storage scheme at all. It uses the This is not really a password storage scheme at all. It uses the
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment