ldaptor icon indicating copy to clipboard operation
ldaptor copied to clipboard

Published 20 hours ago verified publisher icon twisted

pluggable password storage format for ldiftree back end

Open cwaldbieser opened this issue 10 years ago • 3 comments

The base classes for LDAP DIT entries found in :file:ldaptor/entry.py are hard-coded to store password hashes for simple BINDs in salted SHA1 format. The entry is prefixed with "{SSHA}". This is similar to one of the schemes that OpenLDAP uses, but allowing alternate schemes may be a good idea.

If the entry has no prefix, it can indicate the password itself is stored in plain text. This is useful to developing and debugging. Different hash formats could have different prefixes. For example {SHA} for unsalted SHA or maybe {PBKDF2} for Password-Based Key Derivation Function 2.

There would need to be a default storage format that is configurable. That would indicate the format used when the LDAP modify password extended request is used.

Also, it may be nice to allow configuration of the attribute in which the password/hash is stored. OpenLDAP allows this, but defaults to userPassword.

cwaldbieser avatar Jan 27 '15 20:01 cwaldbieser

Sounds like one would typically use passlib for such a task. https://bitbucket.org/ecollins/passlib/wiki/Home

schlenk avatar Feb 02 '16 12:02 schlenk

Nice find! :)

psi29a avatar Feb 03 '16 09:02 psi29a

For SHA e SSHA: https://github.com/peppelinux/pySSHA-slapd

peppelinux avatar May 09 '20 12:05 peppelinux