How does LDAP store passwords and how can I ensure they are encrypted?

By default, LDAP stores passwords in the userPassword attribute as plain text. If the password contains special characters (e.g., =:!), it will be Base64 encoded. It’s important to note that Base64 encoding is not encryption.

For user authentication against LDAP, storing passwords in this manner may be sufficient. However, other services often require different methods.

To store passwords in an encrypted format, LDAP provides the ldappasswd operation. This process utilizes the settings (e.g., cipher, hash) defined in the /etc/ldap/slapd.conf file. It’s crucial to understand that this method does not generate password hashes for other services like Samba or Kerberos.

How are password hashes stored in LDAP for other services like Samba and Kerberos?

Different services use specific attributes to store password hashes:

• Samba: Uses attributes such as SambaUserPassword and NTPasswordHash.
• Kerberos: Uses various krb5Keys attributes.

In UCS (Univention Corporate Server), these password hashes are generated exclusively through the Univention Directory Manager (UDM). This ensures that the necessary password hashes for services like Samba and Kerberos are properly created and managed.

For more information about password hashes take a look at our manual.

This topic was automatically closed after 24 hours. New replies are no longer allowed.