openldap auth with both option hashed as well as cleartext?

Question

I know that ldap directory can store userpassword as clear-text or hashed(with one of the available algorithms).

The client sends the userpassword in cleartext format. Auth server checks if stored password is in hashed form or clear-text...depending upon the case it compares the password from client to stored value.

To make the connection secure we can use TLS, But do we need to send the password from client to server in cleartext form only..

Do we have option in which client sends the password in hashed format?

Answer 1

Unless the LDAP client is using a password-less SASL method for the BIND operation, the password should be sent in clear text over a secure connection. Only in this way can the directory server enforce password quality rules, password history, and so forth. Software professionals should reject the idea of sending passwords pre-encoded for this reason.

The directory server should be configured to use a salted SHA-2 with the longest digest available (professional-quality directory servers support salted SHA-2 with 512 bit digest). Otherwise, if there is a requirement to use a low-security SASL method like DIGEST-MD5, the server requires access to the password; therefore the password should be stored in the strongest reversible encryption available, which I believe is AES.

To summarize, if simple BIND operations are used to authenticate:

• configure the server to reject non-secure connections
• send passwords in clear text over secure connections
• configure the server's password policy to store passwords using the longest salted SHA-2 digest available