I have listed the users with their passwords using ldapsearch
and the passwords are not listed in clear text, but does that really confirm they are not stored in clear text?
Yes, no, maybe.
I think ldapsearch
and for example a password policy overlay do not replace stored clear text passwords with an encrypted or hashed version in search responses. Encryption/hashing of cleartext passwords only occurs when passwords are set/updated. I think that in that regard you can trust what ldapsearch
shows you.
But both ldapsearch
and slapcat
display userPassword
in base64-encoded format. A double colon ::
after the attribute name is used to indicate that the value is base64-encoded.
userPassword:: c2VjcmV0LXBhc3N3b3JkCg==
userPassword:: e1NTSEF9RGtNVHdCbCthLzNEUVR4Q1lFQXBkVXROWEdnZFVhYzMK
You won't actually know until you decode that base64 character string if the password is hashed or clear text. If you find only passwords in the form of {hash prefix}salt/value
:
userPassword: {SSHA}DkMTwBl+a/3DQTxCYEApdUtNXGgdUac3
userPassword: {SSHA}d0Q0626PSH9VUld7yWpR0k6BlpQmtczb
userPassword: {CRYPT}$1$czBJdDqS$TmkzUAb836oMxg/BmIwN.1
userPassword: {MD5}Xr4ilOzQ4PCOq3aQ0qbuaQ==
userPassword: {SMD5}4QWGWZpj9GCmfuqEvm8HtZhZS6E=
then you're good. Passwords without such a prefix are plain text.
Just checking the config file is not sufficient.
Indeed. When the password hashing/encryption is enabled/changed neither existing clear text passwords nor existing passwords encrypted with different algorithms are converted.
As far as I'm aware after changing the default password policy existing clear text and passwords hashed with other algorithms will also not stop working either, the ldap daemon simply iterates through all supported mechanisms whenever an authentication request is made.
To inspect the contents of the actual stored data in OpenLDAP the easiest is probably exporting the database to a readable LDIF format with slapcat
; extract all userPassword attribute values from that LDIF and base64 decode them.