ldapbind using crypt or ssha passwords ?
[278 byte] By [aryamka] at [2007-11-27 7:08:31] 
Hi,I was trying to useldapsearch -D"cn=directory manager" -w<crypt or ssha passwd> .......it failed saying invalid credentialsI copy pasted crypt or ssha password from directory search any idea how to make this work?-manish
# 1
I have tried this with other users too but this doesnt worksaryamka at 2007-7-12 19:00:03 >
# 2
Think about your Unix login, read any /etc/passwd file, and try to authenticate with the value you read from it. You can't. It's hashed. You need to know the real cleartext password.
It's the same with Directory Server.
In order to bind to a Directory Server, you must provide the cleartext password.
Otherwise it would be a major security hole if one could read a one-way hashed password and authenticate with it.
Regards,
Ludovic.
ludovicpa at 2007-7-12 19:00:03 >
# 3
Hi,My main concern is that we have to store plain text passwords in config files of applications using Sunone. so mainly I want to mask plain password in config files.-Manisharyamka at 2007-7-12 19:00:03 >
# 4
Your applications will need to bind to the Directory Server just the same.To protect your cleartext passwords, you will need to restrict read permissions to those config files.gtholberta at 2007-7-12 19:00:03 >
# 5
You can mask the cleartext password in your application... Use reversible encryption or obfuscation. Just don't forget to reverse to the cleartext version before authenticating to the Directory Server.
Note that if you want to use reversible encryption, you will need a key which will then be either hardcoded or to be stored somewhere to be used by your application... Chicken and egg problem !
Ludovic.
ludovicpa at 2007-7-12 19:00:03 >
# 6
does ldapclient for unix ldap auth stores passwd in same way ?aryamka at 2007-7-12 19:00:03 >
# 7
Not sure I understand your question.ldapclient for unix ldap auth do not store passwords. The passwords are stored in the Directory Server.Regards,Ludovic.ludovicpa at 2007-7-12 19:00:03 >
# 8
I mean in our environment we use a proxy user to fetch login user details, so i mean passwd for this proxy user remains on clientaryamka at 2007-7-12 19:00:03 >
# 9
the password for the proxyuser is in /var/ldap/ldap_client_cred (solaris 9)
its the bind password for the proxyuser
looks something like this:
cat /var/ldap/ldap_client_cred
#
# Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead.
#
NS_LDAP_BINDDN= cn=proxyuser,ou=profile,dc=<yourdomain>,dc=<com>
NS_LDAP_BINDPASSWD= {NS1}3fac7f3dae6c3cea
o.bogosavljevica at 2007-7-12 19:00:03 >
# 10
yups thats what I mean, if ldapclient config can store encrypted/hash passwd why cant we do same for other apps ?there should be some way for thisaryamka at 2007-7-12 19:00:03 >
Web & Directory Servers Hot Topic
- Access Manger login redirects back to login
- Installing Policy Agent gives Invalid empty password
- Identity and Access Management Blog
- Identity and Access Management Blog
- Configuring IdM 7 on Tomcat 5.5 to use a Mysql (5.0.41) datasource
- Missing view ID - Checkout view
- j2eeplugin.dll
- Installation Windows XP
- SunOne iPlanet LDAP on AIX 5.1
- amsecurid helper configuration
- xpress code to retrieve set of strings as separate lists from a list
- List of Sun Java System Portal Server 7 attribute list
Web & Directory Servers
All Classified
- Archived Forums
- Enterprise & Remote Computing
- Java Essentials
- Desktop
- Core
- Solaris Operating System
- Security
- Database Connectivity
- Java Mobility Forums
- Web & Directory Servers
- Development Tools
- Application & Integration Servers
- Java HotSpot Virtual Machine
- Other Topics
- E-Mail, Calendar, & Collaboration
- Developer Tools
- General
- Administration Tools
- Sun Hardware
- Storage Forums
- Java Enterprise System
- StarOffice
- Open Source Technologies
- BigAdmin
- Real-Time
- Java Coding