Open Directory/LDAP Password Encryption

Question

Level 1

9 points

Open Directory/LDAP Password Encryption

Hello everyone,

I'm trying to sync my LDAP Directory with another directory service. This other directory service only supports SHA1 and MD5 encryption and I would need to know what encryption Open Directory uses for passwords. I thought it would be an easy google search, but apparently it is not.

Thanks!

xserve 10.5

Posted on Jan 20, 2010 1:26 PM

Reply

Answer 1

Abel408 Author

Level 1

9 points

Jan 21, 2010 8:39 AM in response to Abel408

I guess it's a harder question than I thought. Anyone know if you can change the encryption method?

Reply

Answer 2

Jan 28, 2010 9:18 AM in response to Abel408

Unlike some other LDAP directories, OS X doesn't store a password inside the LDAP record - it uses an "SASL" mechanism - it queries to the "AuthenticationAuthority" attribute to advise the location where the user password can be retrieved.

The passwords are stored inside the PasswordServer (SASL Server), in CRAM-MD5, Digest-MD5, DHX, etc (see Page 50 of the Open Directory Administation Guide).

It also supports LDAP Bind (using cleartext passwords), but this is a nasty security risk.

Some ways you could consider to propagate from the password from other LDAP directories is either:
-Propagate the password an password attribute - but this will require changing the way clients bind to query this attribute.
- Use a script to change the entries in PasswordService using "dscl" commands on the OS X Server - this is probably a better long term solution.

Reply