<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 02/12/2015 01:25 AM, Michael
Lasevich wrote:<br>
</div>
<blockquote
cite="mid:CAAFs98W5p8-tRgO1QEQRX6Lbg_DA0OgJU+-s+LiV+pmND-aprA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>Ok, after a few awkward questions from an auditor, I am
starting to face the uncomfortable truth that my
understanding about how FreeIPA works is a lot fuzzier than
I would like.<br>
<br>
Specifically, the question I could not answer - where are
the passwords stored and how are they encrypted? My
understanding is that all authentication is handled by
Kerberos server, which stores its data in LDAP - but where
and how is a bit of a mystery to me. Any way to dump out the
password hashes?<br>
</div>
</div>
</div>
</blockquote>
<br>
Passwords are stored in LDAP in two different attributes per entry.
One with LDAP password hash and another is Kerberos password hash
allowing authentication either with Kerebros or LDAP. Both follow
best practices in terms of using hash algorithms. The attributes
themselves are protected by the access control instructions (ACI) so
only a super priviledged admin or user himself can interact with
this attribute. During normal operations it is not fetched and read.
The core of the DS processes it behind the closed doors so it is
possible to reset but not to read.<br>
This is how LDAP works and not different from any modern directory
server. <br>
<br>
<br>
<blockquote
cite="mid:CAAFs98W5p8-tRgO1QEQRX6Lbg_DA0OgJU+-s+LiV+pmND-aprA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div><br>
</div>
Thanks,<br>
<br>
</div>
-M<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</body>
</html>