<html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body text="#000000" bgcolor="#FFFFFF"> <div class="moz-cite-prefix">On 02/12/2015 01:25 AM, Michael Lasevich wrote:<br> </div> <blockquote cite="mid:CAAFs98W5p8-tRgO1QEQRX6Lbg_DA0OgJU+-s+LiV+pmND-aprA@mail.gmail.com" type="cite"> <div dir="ltr"> <div> <div>Ok, after a few awkward questions from an auditor, I am starting to face the uncomfortable truth that my understanding about how FreeIPA works is a lot fuzzier than I would like.<br> <br> Specifically, the question I could not answer - where are the passwords stored and how are they encrypted? My understanding is that all authentication is handled by Kerberos server, which stores its data in LDAP - but where and how is a bit of a mystery to me. Any way to dump out the password hashes?<br> </div> </div> </div> </blockquote> <br> Passwords are stored in LDAP in two different attributes per entry. One with LDAP password hash and another is Kerberos password hash allowing authentication either with Kerebros or LDAP. Both follow best practices in terms of using hash algorithms. The attributes themselves are protected by the access control instructions (ACI) so only a super priviledged admin or user himself can interact with this attribute. During normal operations it is not fetched and read. The core of the DS processes it behind the closed doors so it is possible to reset but not to read.<br> This is how LDAP works and not different from any modern directory server. <br> <br> <br> <blockquote cite="mid:CAAFs98W5p8-tRgO1QEQRX6Lbg_DA0OgJU+-s+LiV+pmND-aprA@mail.gmail.com" type="cite"> <div dir="ltr"> <div> <div><br> </div> Thanks,<br> <br> </div> -M<br> </div> <br> <fieldset class="mimeAttachmentHeader"></fieldset> <br> </blockquote> <br> <br> <pre class="moz-signature" cols="72">-- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc.</pre> </body> </html>