You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The base classes for LDAP DIT entries found in :file:ldaptor/entry.py are hard-coded to store password hashes for simple BINDs in salted SHA1 format. The entry is prefixed with "{SSHA}". This is similar to one of the schemes that OpenLDAP uses, but allowing alternate schemes may be a good idea.
If the entry has no prefix, it can indicate the password itself is stored in plain text. This is useful to developing and debugging. Different hash formats could have different prefixes. For example {SHA} for unsalted SHA or maybe {PBKDF2} for Password-Based Key Derivation Function 2.
There would need to be a default storage format that is configurable. That would indicate the format used when the LDAP modify password extended request is used.
Also, it may be nice to allow configuration of the attribute in which the password/hash is stored. OpenLDAP allows this, but defaults to userPassword.
The text was updated successfully, but these errors were encountered:
The base classes for LDAP DIT entries found in :file:
ldaptor/entry.py
are hard-coded to store password hashes for simple BINDs in salted SHA1 format. The entry is prefixed with "{SSHA}". This is similar to one of the schemes that OpenLDAP uses, but allowing alternate schemes may be a good idea.If the entry has no prefix, it can indicate the password itself is stored in plain text. This is useful to developing and debugging. Different hash formats could have different prefixes. For example {SHA} for unsalted SHA or maybe {PBKDF2} for Password-Based Key Derivation Function 2.
There would need to be a default storage format that is configurable. That would indicate the format used when the LDAP modify password extended request is used.
Also, it may be nice to allow configuration of the attribute in which the password/hash is stored. OpenLDAP allows this, but defaults to
userPassword
.The text was updated successfully, but these errors were encountered: