Use salted SHA passwords for LDAP They are believed to be the most secure password storage scheme supported by slapd. See: https://www.openldap.org/doc/admin24/security.html#SSHA%20password%20storage%20scheme

commit: 421c13a2ae871ef37f6077b5ab5f8c755b61e056 [log] [tgz]
author: Marc Kupietz <kupietz@ids-mannheim.de> Wed Apr 26 22:10:48 2023 +0200
committer: Marc Kupietz <kupietz@ids-mannheim.de> Wed Apr 26 22:10:48 2023 +0200
tree: 6d03bb90c211de622717591fc520cdb95c95de84
parent: 04b9621e7fb0fbfe19e0e3dad7ccc60a00fc0e39 [diff] [blame]
diff --git a/ldap.php b/ldap.php
index dcc2e46..c323324 100755
--- a/ldap.php
+++ b/ldap.php

@@ -158,7 +158,9 @@
 
         if ($ENCRYPT_PASSWORDS) {
                 # $newEntry = ['userPassword' => "{crypt}" . crypt($new_password, '$6$' . generateSalt(10) . '$')];
-                $newEntry = ['userPassword' => "{SHA}" .  base64_encode(sha1($new_password, true))];
+                # $newEntry = ['userPassword' => "{SHA}" .  base64_encode(sha1($new_password, true))];
+                $salt = generateSalt(10);
+                $newEntry = ['userPassword' => "{SSHA}" . base64_encode( sha1( $new_password . $salt, true) . $salt )];
         } else {
                 $newEntry = ['userPassword' => "{CLEAR}" .  $new_password];
         }
commit	421c13a2ae871ef37f6077b5ab5f8c755b61e056	[log] [tgz]
author	Marc Kupietz <kupietz@ids-mannheim.de>	Wed Apr 26 22:10:48 2023 +0200
committer	Marc Kupietz <kupietz@ids-mannheim.de>	Wed Apr 26 22:10:48 2023 +0200
tree	6d03bb90c211de622717591fc520cdb95c95de84
parent	04b9621e7fb0fbfe19e0e3dad7ccc60a00fc0e39 [diff] [blame]