What is the best way to store passwords in OpenLDAP?

Question

I would like to store user credentials in an OpenLDAP or similar directory server.

A lot of online commentary about storing passwords in modern contexts recommends using password derivation schemes like PBKDF2, bcrypt and scrypt. It looks like OpenLDAP offers salted SHA1 as it's "most secure" storage option.

Two questions:

Is Salted SHA strong enough to protect passwords in the event of compromise?
What are my options for hardening password storage on OpenLDAP?

duffbeer703 · Answer 1 · 2015-05-01T17:43:17.887

2

Ok, so I found some resources that are helping me to answer my question.

There is a module that allows you to use PBKDF2 with either SHA1, SHA256 or SHA 512. This is probably the best solution for most situations. (See: https://github.com/hamano/openldap-pbkdf2 )
Alternatively, you can use the local Unix/Linux crypt facility, and configure OpenLDAP to salt the passwords. YMMV will vary by platform. AlgorithmsAvailable hashes on RHEL 7.1 include MD5, Blowfish, SHA-256 and SHA-512 according to the crypt(3) manpage.

For my situation, salted general purpose hashes don't cut the mustard, so the first option is the best solution.

edited May 01 '15 at 17:43

answered Apr 30 '15 at 16:46

duffbeer703

403
3
8

This is not correct, let LDAP manage password hashing. That's why the password extend modify operation is for. See more here http://tech.wrighting.org/2013/06/using-the-ldap-password-modify-extended-operation-with-spring-ldap/ This way you don't have to worry about hashing password on client side as well as making sure ldap password hasing is configured the same way. – user1159819 Apr 26 '16 at 16:52

What is the best way to store passwords in OpenLDAP?

1 Answers1

Linked

Related