Discussion:
Can password-hash be database specific? also, storing and verifying cleartext passwords
Tom Leach
2010-06-22 15:22:56 UTC
Permalink
Is the 'password-hash' configuration function a server-wide setting only
or can it be set to different values for separate databases?
I'm trying to add MAC-auth RADIUS functionality to my LDAP server
(openldap-2.4.21) and I need to store the password for the MAC addresses
in cleartext. I also use the LDAP server for user login which I don't
want to keep in cleartext. So, my thought was to have 'password-hash
{SSHA}' for the users database, and 'password-hash {CLEARTEXT}' for the
RADIUS database, but it appears that it's a global so I'm pretty sure
this won't work.

Also, how do I verify that the passwords are stored in cleartext?
On a test server, I've created just the radius database with a global
'password-hash {CLEARTEXT}', I have the following ldif file that I add with:
ldapadd -x -W -v -D 'cn=Manager,o=radius' -f mac.ldif -h ldap_server

Contents of mac.ldif:
dn:uid=001e68d08ff9,o=radius
uid: 001e68d08ff9
cn: 001e68d08ff9
userPassword: {cleartext}001e68d08ff9
objectClass: top
objectClass: radiusProfile
objectClass: radiusObjectProfile

but when I use ldapsearch or slapcat to dump the database, the
userPassword line looks to be hashed.
ldap_server# slapcat
dn: o=radius
o: radius
objectClass: top
objectClass: organization
structuralObjectClass: organization
entryUUID: 97ab4273-42ae-4b41-9100-a8106bf766bf
creatorsName: cn=Manager,o=radius
createTimestamp: 20100618220235Z
entryCSN: 20100618220235.020635Z#000000#000#000000
modifiersName: cn=Manager,o=radius
modifyTimestamp: 20100618220235Z

dn: uid=001e68d08ff9,o=radius
uid: 001e68d08ff9
cn: 001e68d08ff9
userPassword:: e2NsZWFydGV4dH0wMDFlNjhkMDhmZjk=
objectClass: top
objectClass: radiusprofile
objectClass: radiusObjectProfile
structuralObjectClass: radiusObjectProfile
entryUUID: 591d40f2-a155-4b49-a827-5bfd92ee8c32
creatorsName: cn=Manager,o=radius
createTimestamp: 20100619000726Z
entryCSN: 20100619000726.747404Z#000000#000#000000
modifiersName: cn=Manager,o=radius
modifyTimestamp: 20100619000726Z


Here are the relevant lines from the slapd.conf file:
include /usr/local/etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/radius.schema
password-hash {CLEARTEXT}
database bdb
suffix "o=radius"
rootdn "cn=Manager,o=radius"
rootpw "secret"
directory /var/lib/ldap/radius
index objectClass eq
index ou,cn,uid,memberUid eq,pres,sub
index uniqueMember eq,pres
index entryCSN,entryUUID eq
m***@aero.polimi.it
2010-06-24 16:19:26 UTC
Permalink
Post by Tom Leach
Is the 'password-hash' configuration function a server-wide setting only
Yes.
Post by Tom Leach
or can it be set to different values for separate databases?
No.
Post by Tom Leach
I'm trying to add MAC-auth RADIUS functionality to my LDAP server
(openldap-2.4.21) and I need to store the password for the MAC addresses
in cleartext. I also use the LDAP server for user login which I don't
want to keep in cleartext. So, my thought was to have 'password-hash
{SSHA}' for the users database, and 'password-hash {CLEARTEXT}' for the
RADIUS database, but it appears that it's a global so I'm pretty sure
this won't work.
Also, how do I verify that the passwords are stored in cleartext?
On a test server, I've created just the radius database with a global
ldapadd -x -W -v -D 'cn=Manager,o=radius' -f mac.ldif -h ldap_server
dn:uid=001e68d08ff9,o=radius
uid: 001e68d08ff9
cn: 001e68d08ff9
userPassword: {cleartext}001e68d08ff9
objectClass: top
objectClass: radiusProfile
objectClass: radiusObjectProfile
but when I use ldapsearch or slapcat to dump the database, the
userPassword line looks to be hashed.
ldap_server# slapcat
dn: o=radius
o: radius
objectClass: top
objectClass: organization
structuralObjectClass: organization
entryUUID: 97ab4273-42ae-4b41-9100-a8106bf766bf
creatorsName: cn=Manager,o=radius
createTimestamp: 20100618220235Z
entryCSN: 20100618220235.020635Z#000000#000#000000
modifiersName: cn=Manager,o=radius
modifyTimestamp: 20100618220235Z
dn: uid=001e68d08ff9,o=radius
uid: 001e68d08ff9
cn: 001e68d08ff9
userPassword:: e2NsZWFydGV4dH0wMDFlNjhkMDhmZjk=
This is the base64 encoding of "{cleartext}001e68d08ff9"

Please note that slapd will hold what you store in it. password-hash only
hashes passwords that are written by the password modify extended
operation (RFC3062). So if you write passwords using an add or a modify
operation, it will be stored as it is provided.

p.
Tom Leach
2010-06-28 23:15:34 UTC
Permalink
Thanks for everyone's help. I don't want users passwords stored in
clear text in the directory, so I've set the password-hash back to SSHA.
Even when it was stored in cleartext, the passwords were base64 encoded
and freeradius wasn't seeing that as a match. Since I only need the
clear text passwords for machines for MAC-auth via freeradius, I just
went ahead and created another schema attribute in our private OID space
called userClearPassword, stored the password (MAC address) in that
attribute and then on the freeradius server, mapped that attribute to
userPassword for the instance that is doing MAC-auth.
This keeps my directory users passwords in a good, secure encryption,
and allows my switches to MAC-auth against the cleartext passwords via
freeradius.
My other radius systems use Web-auth but they are using PAP so the
encrypted passwords stored in the directory are fine.
Thanks again!
Tom Leach
Post by m***@aero.polimi.it
Post by Tom Leach
Is the 'password-hash' configuration function a server-wide setting only
Yes.
Post by Tom Leach
or can it be set to different values for separate databases?
No.
Post by Tom Leach
I'm trying to add MAC-auth RADIUS functionality to my LDAP server
(openldap-2.4.21) and I need to store the password for the MAC addresses
in cleartext. I also use the LDAP server for user login which I don't
want to keep in cleartext. So, my thought was to have 'password-hash
{SSHA}' for the users database, and 'password-hash {CLEARTEXT}' for the
RADIUS database, but it appears that it's a global so I'm pretty sure
this won't work.
Also, how do I verify that the passwords are stored in cleartext?
On a test server, I've created just the radius database with a global
ldapadd -x -W -v -D 'cn=Manager,o=radius' -f mac.ldif -h ldap_server
dn:uid=001e68d08ff9,o=radius
uid: 001e68d08ff9
cn: 001e68d08ff9
userPassword: {cleartext}001e68d08ff9
objectClass: top
objectClass: radiusProfile
objectClass: radiusObjectProfile
but when I use ldapsearch or slapcat to dump the database, the
userPassword line looks to be hashed.
ldap_server# slapcat
dn: o=radius
o: radius
objectClass: top
objectClass: organization
structuralObjectClass: organization
entryUUID: 97ab4273-42ae-4b41-9100-a8106bf766bf
creatorsName: cn=Manager,o=radius
createTimestamp: 20100618220235Z
entryCSN: 20100618220235.020635Z#000000#000#000000
modifiersName: cn=Manager,o=radius
modifyTimestamp: 20100618220235Z
dn: uid=001e68d08ff9,o=radius
uid: 001e68d08ff9
cn: 001e68d08ff9
userPassword:: e2NsZWFydGV4dH0wMDFlNjhkMDhmZjk=
This is the base64 encoding of "{cleartext}001e68d08ff9"
Please note that slapd will hold what you store in it. password-hash only
hashes passwords that are written by the password modify extended
operation (RFC3062). So if you write passwords using an add or a modify
operation, it will be stored as it is provided.
p.
m***@aero.polimi.it
2010-06-28 23:27:56 UTC
Permalink
Post by Tom Leach
Thanks for everyone's help. I don't want users passwords stored in
clear text in the directory, so I've set the password-hash back to SSHA.
Even when it was stored in cleartext, the passwords were base64 encoded
and freeradius wasn't seeing that as a match.
Passwords are not *stored* base64-encoded; they're just presented
base64-encoded. They're stored with their actual value. The reason for
back64-encode them when presented is that octet-strings could be
non-printable.

p.

Quanah Gibson-Mount
2010-06-24 16:33:22 UTC
Permalink
--On Tuesday, June 22, 2010 8:22 AM -0700 Tom Leach
Post by Tom Leach
userPassword line looks to be hashed.
s/hashed/base 64 encoded

Decode it to see the actual value. <attr>:: always indicates that it is in
a base 64-encoded format for LDAP.

--Quanah


--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration
Siddhartha Jain
2010-06-24 18:33:58 UTC
Permalink
-----Original Message-----
Is the 'password-hash' configuration function a server-wide setting only
or can it be set to different values for separate databases?
I'm trying to add MAC-auth RADIUS functionality to my LDAP server
(openldap-2.4.21) and I need to store the password for the MAC
addresses
in cleartext. I also use the LDAP server for user login which I don't
want to keep in cleartext. So, my thought was to have 'password-hash
{SSHA}' for the users database, and 'password-hash {CLEARTEXT}' for the
RADIUS database, but it appears that it's a global so I'm pretty sure
this won't work.
Yes, each database can have a different hashing mechanism set.
http://www.openldap.org/software/man.cgi?query=slapd-config&apropos=0&sektion=0&manpath=OpenLDAP+2.4-Release&format=html

olcPasswordHash: <hash> [<hash>...]
This option configures one or more hashes to be used in
generation of user passwords stored in the userPassword
attribute during processing of LDAP Password Modify Extended
Operations (RFC 3062). The <hash> must be one of {SSHA}, {SHA},
{SMD5}, {MD5}, {CRYPT}, and {CLEARTEXT}. The default is {SSHA}.


You can have more than one password set for a user and have each password use a different hash mechanism.
Also, how do I verify that the passwords are stored in cleartext?
On a test server, I've created just the radius database with a global
What you see is a base64 encoded string.
http://www.openldap.org/faq/data/cache/1346.html

I am not familiar with MAC-auth RADIUS. Does it require that you pass a clear-text string to the RADIUS server? Mostly, RADIUS should send a "bind" request to LDAP and if that succeeds it will allow auth. If that is the case, you should not have to use clear-text passwords.

Hope this helps,

- Siddhartha
m***@aero.polimi.it
2010-06-25 12:37:53 UTC
Permalink
Post by Siddhartha Jain
-----Original Message-----
Is the 'password-hash' configuration function a server-wide setting only
or can it be set to different values for separate databases?
I'm trying to add MAC-auth RADIUS functionality to my LDAP server
(openldap-2.4.21) and I need to store the password for the MAC addresses
in cleartext. I also use the LDAP server for user login which I don't
want to keep in cleartext. So, my thought was to have 'password-hash
{SSHA}' for the users database, and 'password-hash {CLEARTEXT}' for the
RADIUS database, but it appears that it's a global so I'm pretty sure
this won't work.
Yes, each database can have a different hashing mechanism set.
http://www.openldap.org/software/man.cgi?query=slapd-config&apropos=0&sektion=0&manpath=OpenLDAP+2.4-Release&format=html
I'm afraid that man page is incorrect. As far as I know, that directive
is global, not database specific. That's what I get from the code (and
what I remembered). You can check yourself by adding the directive and
inspecting the content of cn=config.

We need at least to fix the manpage.

p.
Howard Chu
2010-06-26 20:15:46 UTC
Permalink
Post by m***@aero.polimi.it
Post by Siddhartha Jain
-----Original Message-----
Is the 'password-hash' configuration function a server-wide setting only
or can it be set to different values for separate databases?
I'm trying to add MAC-auth RADIUS functionality to my LDAP server
(openldap-2.4.21) and I need to store the password for the MAC addresses
in cleartext. I also use the LDAP server for user login which I don't
want to keep in cleartext. So, my thought was to have 'password-hash
{SSHA}' for the users database, and 'password-hash {CLEARTEXT}' for the
RADIUS database, but it appears that it's a global so I'm pretty sure
this won't work.
Yes, each database can have a different hashing mechanism set.
http://www.openldap.org/software/man.cgi?query=slapd-config&apropos=0&sektion=0&manpath=OpenLDAP+2.4-Release&format=html
I'm afraid that man page is incorrect. As far as I know, that directive
is global, not database specific. That's what I get from the code (and
what I remembered). You can check yourself by adding the directive and
inspecting the content of cn=config.
We need at least to fix the manpage.
The manpage is correct. It clearly states "This setting is only allowed in the
frontend entry."
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
m***@aero.polimi.it
2010-06-26 20:39:37 UTC
Permalink
Post by Howard Chu
The manpage is correct. It clearly states "This setting is only allowed in the
frontend entry."
Right; I was mistaken by the fact that olcPasswordHash is allowed by class
olcGlobal.

p.
Howard Chu
2010-06-26 20:52:46 UTC
Permalink
Post by m***@aero.polimi.it
Post by Howard Chu
The manpage is correct. It clearly states "This setting is only allowed in the
frontend entry."
Right; I was mistaken by the fact that olcPasswordHash is allowed by class
olcGlobal.
Yes, it's allowed in olcGlobal for backward compatibility with slapd.conf,
which didn't enforce any distinction between "global" and "frontend"
directives. But it's not evaluated there, since it's possible to specify a
hash mechanism that is loaded from a module (and the moduleLoad parsing hasn't
occurred yet when olcGlobal is read).
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
Dieter Kluenter
2010-06-24 20:27:45 UTC
Permalink
Tom Leach <***@coas.oregonstate.edu> writes:

[...]
Post by Tom Leach
Also, how do I verify that the passwords are stored in cleartext?
On a test server, I've created just the radius database with a global
ldapadd -x -W -v -D 'cn=Manager,o=radius' -f mac.ldif -h ldap_server
dn:uid=001e68d08ff9,o=radius
uid: 001e68d08ff9
cn: 001e68d08ff9
userPassword: {cleartext}001e68d08ff9
objectClass: top
objectClass: radiusProfile
objectClass: radiusObjectProfile
but when I use ldapsearch or slapcat to dump the database, the
userPassword line looks to be hashed.
[...]
Post by Tom Leach
userPassword:: e2NsZWFydGV4dH0wMDFlNjhkMDhmZjk=
[...]

This is just the base64 encoding of the plaintext password. You may
decode this by mmencode -u

-Dieter
--
Dieter Klünter | Systemberatung
sip: +49.40.20932173
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6
Loading...