pluggable password storage format for ldiftree back end

[cwaldbieser]

The base classes for LDAP DIT entries found in :file:ldaptor/entry.py are hard-coded to store password hashes for simple BINDs in salted SHA1 format. The entry is prefixed with "{SSHA}". This is similar to one of the schemes that OpenLDAP uses, but allowing alternate schemes may be a good idea.

If the entry has no prefix, it can indicate the password itself is stored in plain text. This is useful to developing and debugging. Different hash formats could have different prefixes. For example {SHA} for unsalted SHA or maybe {PBKDF2} for Password-Based Key Derivation Function 2.

There would need to be a default storage format that is configurable. That would indicate the format used when the LDAP modify password extended request is used.

Also, it may be nice to allow configuration of the attribute in which the password/hash is stored. OpenLDAP allows this, but defaults to userPassword.

[schlenk]

Sounds like one would typically use passlib for such a task. https://bitbucket.org/ecollins/passlib/wiki/Home

[psi29a]

Nice find! :)

[peppelinux]

For SHA e SSHA:
https://github.com/peppelinux/pySSHA-slapd