FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 09-22-2010, 05:32 PM
Gerrard Geldenhuis
 
Default Enforcement of password policy dependend on presence of {password encryption type}?

Hi


Problem Statement:


If I have the following ldif executed by Directory Manager:


dn: uid=jsmith,ou=People,dc=mycompany


changetype: modify


replace: userPassword


userPassword:
5A80f5A80FFE3A51BA71A0014F88F0204995334D9849DC02E1 A7E06dd171


*


This will get transmitted in clear text (via ssl, if enabled)
to the server if done remotely and will be subject to any password policy set.


*


If however the ldif looks like:


dn: uid=smith,ou=People,dc=mycompany


changetype: modify


replace: userPassword


userPassword: {SSHA}Jvze3knNF165Msadf1vfLJTuhKm9wHoRt


*


It is not subject to the password policy and stil gets
changed.


*


doing a ldapsearch will show the following:


# jsmith, People, mycompany


dn: uid=jsmith,ou=People,dc=mycompany


uid: jsmith


cn: John Smith


userPassword::
e1NTSEF9SnZ6ZTNrbk5GMTY1TU10MXZ5TEoyVHVoS205d0hvUn Q=


*


Questions:


Is the difference in behaviour when using a clear text
password as opposed to a {SSHA} password intentional? Granted that it gets
executed as Directory Manager.


*


Is there any way apart from looking at :


dn: cn=config


passwordStorageScheme: ssha


*


to determine what the encryption will be. Or put differently
how can I be sure that the string I am seeing has been properly encrypted
according the set standard?


*


Best Regards






__________________________________________________ ______________________

In order to protect our email recipients, Betfair Group use SkyScan from

MessageLabs to scan all Incoming and Outgoing mail for viruses.



__________________________________________________ ______________________




--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 09-22-2010, 05:49 PM
Rich Megginson
 
Default Enforcement of password policy dependend on presence of {password encryption type}?

Gerrard Geldenhuis wrote:
>
> Hi
>
> Problem Statement:
>
> If I have the following ldif executed by Directory Manager:
>
> dn: uid=jsmith,ou=People,dc=mycompany
>
> changetype: modify
>
> replace: userPassword
>
> userPassword: 5A80f5A80FFE3A51BA71A0014F88F0204995334D9849DC02E1 A7E06dd171
>
>
>
> This will get transmitted in clear text (via ssl, if enabled) to the
> server if done remotely and will be subject to any password policy set.
>
>
>
> If however the ldif looks like:
>
> dn: uid=smith,ou=People,dc=mycompany
>
> changetype: modify
>
> replace: userPassword
>
> userPassword: {SSHA}Jvze3knNF165Msadf1vfLJTuhKm9wHoRt
>
>
>
> It is not subject to the password policy and stil gets changed.
>
>
>
> doing a ldapsearch will show the following:
>
> # jsmith, People, mycompany
>
> dn: uid=jsmith,ou=People,dc=mycompany
>
> uid: jsmith
>
> cn: John Smith
>
> userPassword:: e1NTSEF9SnZ6ZTNrbk5GMTY1TU10MXZ5TEoyVHVoS205d0hvUn Q=
>
>
>
> Questions:
>
> Is the difference in behaviour when using a clear text password as
> opposed to a {SSHA} password intentional?
>
Yes.
>
> Granted that it gets executed as Directory Manager.
>
And that is why it goes through. Because you are using Directory
Manager, the directory server "assumes you know what you are doing".
>
>
>
> Is there any way apart from looking at :
>
> dn: cn=config
>
> passwordStorageScheme: ssha
>
>
>
> to determine what the encryption will be. Or put differently how can I
> be sure that the string I am seeing has been properly encrypted
> according the set standard?
>
Only set userPassword using clear text. That way you never have to
worry about whether or not it has been properly encrypted. Never send a
pre-encrypted password to the server. Using pre-encrypted passwords
will break things like windows sync, kerberos, sasl/digest-md5 -
anything that must have the clear text password.
>
>
>
> Best Regards
>
>
> __________________________________________________ ______________________
> In order to protect our email recipients, Betfair Group use SkyScan from
> MessageLabs to scan all Incoming and Outgoing mail for viruses.
>
> __________________________________________________ ______________________
> ------------------------------------------------------------------------
>
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 09-22-2010, 05:56 PM
"Morris, Patrick"
 
Default Enforcement of password policy dependend on presence of {password encryption type}?

On 9/22/2010 10:32 AM, Gerrard Geldenhuis wrote:





Hi

Problem Statement:

If I have the following ldif executed by
Directory Manager:

dn: uid=jsmith,ou=People,dc=mycompany

changetype: modify

replace: userPassword

userPassword:
5A80f5A80FFE3A51BA71A0014F88F0204995334D9849DC02E1 A7E06dd171

*

This will get transmitted in clear text
(via ssl, if enabled)
to the server if done remotely and will be subject to any
password policy set.

*

If however the ldif looks like:

dn: uid=smith,ou=People,dc=mycompany

changetype: modify

replace: userPassword

userPassword:
{SSHA}Jvze3knNF165Msadf1vfLJTuhKm9wHoRt

*

It is not subject to the password policy
and stil gets
changed.



*

[snip]

Questions:


Is the difference in behaviour when using a
clear text
password as opposed to a {SSHA} password intentional? Granted
that it gets
executed as Directory Manager.







I would think that the difference is not only intentional, but
absolutely necessary.* SSHA is a *hash*; it is not the password.*
There's no way to convert that hash back to a password to determine
if the original data complied with security policies.





--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 

Thread Tools




All times are GMT. The time now is 06:36 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org