Skip to content
GitLab
Explore
Sign in
Register
Primary navigation
Search or go to…
Project
O
OpenLDAP
Manage
Activity
Members
Labels
Plan
Issues
Issue boards
Milestones
Wiki
Requirements
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Snippets
Locked files
Build
Pipelines
Jobs
Pipeline schedules
Test cases
Artifacts
Deploy
Releases
Package registry
Container Registry
Model registry
Operate
Environments
Terraform modules
Monitor
Incidents
Service Desk
Analyze
Value stream analytics
Contributor analytics
CI/CD analytics
Repository analytics
Code review analytics
Issue analytics
Insights
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
James Lowden
OpenLDAP
Commits
1b24c288
Commit
1b24c288
authored
16 years ago
by
Quanah Gibson-Mount
Browse files
Options
Downloads
Patches
Plain Diff
Sync with head
parent
7dc122a9
No related branches found
Branches containing commit
No related tags found
Tags containing commit
No related merge requests found
Changes
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
doc/guide/admin/security.sdf
+36
-31
36 additions, 31 deletions
doc/guide/admin/security.sdf
with
36 additions
and
31 deletions
doc/guide/admin/security.sdf
+
36
−
31
View file @
1b24c288
...
...
@@ -173,35 +173,51 @@ mechanism. The {{SECT:Using SASL}} section discusses the use of SASL.
H2: Password Storage
LDAP passwords are normally stored in the {{userPassword}} attribute.
{{REF:RFC4519}} specifies that passwords are not stored in encrypted form,
but this can create an unwanted security exposure so {{slapd}} provides
several options for the administrator to choose from.
{{REF:RFC4519}} specifies that passwords are not stored in encrypted
(or hashed) form. This allows a wide range of password-based
authentication mechanisms, such as {{EX:DIGEST-MD5}} to be used.
This is also the most interoperable storage scheme.
However, it may be desirable to store a hash of password instead.
{{slapd}}(8) supports a variety of storage schemes for the administrator
to choose from.
Note: Values of password attributes, regardless of storage scheme
used, should be protected as if they were clear text. Hashed
passwords are subject to {{dictionary attacks}} and {{brute-force
attacks}}.
The {{userPassword}} attribute is allowed to have more than one value,
and it is possible for each value to be stored in a different form.
During authentication, {{slapd}} will iterate through the values
until it finds one that matches the offered password or until it
runs out of values to inspect. The storage scheme is stored as a prefix
on the value, so a Unix {{crypt}}-style password might look like this:
runs out of values to inspect. The storage scheme is stored as a prefix
on the value, so a hashed password using the Salted SHA1 ({{EX:SSHA}})
scheme looks like:
> userPassword: {
CRYPT}.7D8U/PCF00Hw
> userPassword: {
SSHA}DkMTwBl+a/3DQTxCYEApdUtNXGgdUac3
In general, it is safest to store passwords in a salted hashed format
like SSHA. This makes it very hard for an attacker to derive passwords
from stolen backups or by obtaining access to the on-disk {{slapd}}
database.
The advantage of hashed passwords is that an attacker which
discovers the hash does not have direct access to the actual password.
Unfortunately, as dictionary and brute force attacks are generally
quite easy for attackers to successfully mount, this advantage is
marginal at best (this is why all modern Unix systems use shadow
password files).
The disadvantage of hashed storage is that it prevents the use of some
authentication mechanisms such as {{EX:DIGEST-MD5}}.
The disadvantages of hashed storage is that they are non-standard, may
cause interoperability problem, and generally preclude the use
of stronger than Simple (or SASL/PLAIN) password-based authentication
mechanisms such as {{EX:DIGEST-MD5}}.
H3:
CLEARTEXT
password storage scheme
H3:
SSHA
password storage scheme
Cleartext passwords can be stored directly in the {{userPassword}}
attribute, or can have the '{CLEARTEXT}' prefix. These two values are
equivalent:
This is the salted version of the SHA scheme. It is believed to be the
most secure password storage scheme supported by {{slapd}}.
> userPassword: secret
> userPassword: {CLEARTEXT}secret
These values represent the same password:
> userPassword: {SSHA}DkMTwBl+a/3DQTxCYEApdUtNXGgdUac3
> userPassword: {SSHA}d0Q0626PSH9VUld7yWpR0k6BlpQmtczb
H3: CRYPT password storage scheme
...
...
@@ -218,9 +234,8 @@ transferred to or from an existing Unix password file without having
to know the cleartext form. Both forms of {{crypt}} include salt so
they have some resistance to dictionary attacks.
Note: Since this scheme uses the operation system's {{crypt(3)}} hash function,
it is therefore operation system specific.
Note: Since this scheme uses the operating system's {{crypt(3)}}
hash function, it is therefore operating system specific.
H3: MD5 password storage scheme
...
...
@@ -251,16 +266,6 @@ of salt leaves the scheme exposed to dictionary attacks.
> userPassword: {SHA}5en6G6MezRroT3XKqkdPOmY/BfQ=
H3: SSHA password storage scheme
This is the salted version of the SHA scheme. It is believed to be the
most secure password storage scheme supported by {{slapd}}.
These values represent the same password:
> userPassword: {SSHA}DkMTwBl+a/3DQTxCYEApdUtNXGgdUac3
> userPassword: {SSHA}d0Q0626PSH9VUld7yWpR0k6BlpQmtczb
H3: SASL password storage scheme
This is not really a password storage scheme at all. It uses the
...
...
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment
