[Freeipa-users] Where and how are passwords stored?
Dmitri Pal
dpal at redhat.com
Thu Feb 12 07:20:36 UTC 2015
On 02/12/2015 01:25 AM, Michael Lasevich wrote:
> Ok, after a few awkward questions from an auditor, I am starting to
> face the uncomfortable truth that my understanding about how FreeIPA
> works is a lot fuzzier than I would like.
>
> Specifically, the question I could not answer - where are the
> passwords stored and how are they encrypted? My understanding is that
> all authentication is handled by Kerberos server, which stores its
> data in LDAP - but where and how is a bit of a mystery to me. Any way
> to dump out the password hashes?
Passwords are stored in LDAP in two different attributes per entry. One
with LDAP password hash and another is Kerberos password hash allowing
authentication either with Kerebros or LDAP. Both follow best practices
in terms of using hash algorithms. The attributes themselves are
protected by the access control instructions (ACI) so only a super
priviledged admin or user himself can interact with this attribute.
During normal operations it is not fetched and read. The core of the DS
processes it behind the closed doors so it is possible to reset but not
to read.
This is how LDAP works and not different from any modern directory server.
>
> Thanks,
>
> -M
>
>
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150212/4505d922/attachment.htm>
More information about the Freeipa-users
mailing list