Tuesday, January 4, 2022

[389-users] Re: Help to understand pre-hashed login

Hi, 
Although Marc is right, I do not think it will help you:
  You can generate the hash with pwdhash  then store the hashed value in userpassword. 
   But you still need to use the clear password to authenticate.
If using the hashed value would be enough to be able to authenticate, it would nullify the hash interest (because hashed value would not protect more than using clear value).

IMHO if the application is running on the server, the easiest way is to use ldapi (i.e named socket) because no password is needed if the application has the right to open the socket.

Otherwise strong authentication could be used but that is more painful to handle on the application side.
A last method is to use reversible encryption to store an encrypted password and let the application decode it (as ds389 does with the replication agreement password) 
  but the issue is then to protect the encryption key ... 

Regards,
  Pierre


On Mon, Jan 3, 2022 at 8:15 PM Marc Sauton <msauton@redhat.com> wrote:
you can use the pwdhash command to generate some pre-hashed passwords, and then add them to the configurations or into the user's entries:
man pwdhash
pwdhash -s SSHA512 pasword
{SSHA512}JnzerkmYXKEuMcv...snip...
Thanks,
M.

On Thu, Dec 30, 2021 at 4:05 AM Caderize Caderize <caderize@gmail.com> wrote:
Hello everyone,
i am writing a small php application in order to manage D389 users.
Currently, in order to connect to it, i saved the admin password in clear text in a config.php file, just for test.

Now i would move these settings into mysql database and hash the password for secure reason, probably sha1 or sha256 with salt(will see).
The application should retrieve credentials from mysql db(which will be a salted hashed password "{SHA}xxxxxxxxxxxx") and try to connect to D389.

My question is: Does D389 can authenticate if i pass to it a pre-hashed password?
Is there any documentation or example to follow?

Hope this question will not be considered as stupid.

Many Thanks
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure


--
--

389 Directory Server Development Team

No comments:

Post a Comment