-
Hi, please excuse my inexperience with ldap and similar stuff. But from what I understand, in case of login, authelia verifies the given username and password with those provided by lldap using ldap protocol, is that correct? How to get the password hash using ldap protocol and tools like
I would also like to know what kind of hashing, encryption, and general process a given password undergoes in case of default parameter both in authelia and lldap with "custom" as implementation backend in authelia. Thanks |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 5 replies
-
Hi! You're partly correct: Authelia indeed checks the user's password using the LDAP protocol to talk to LLDAP. However, it doesn't get the password hash. Instead, it sends the credentials to LLDAP (an LDAP Bind operation), basically it tries to log in as the user, and checks that it's successful. The verification is done inside of LLDAP. A derivation of the password is indeed stored in the DB, but it's not a hash. It's the information needed for a zero-knowledge proof that the user has the same password as when they last changed it. See https://github.com/lldap/lldap/blob/main/docs%2Farchitecture.md for more details. This is not configurable. Note that from the web interface, the password is never actually sent to the server. That increases the security in case someone listens to your web traffic. The password "hash" is not exposed through any interface. It wouldn't make sense without the private server key, and the specific OPAQUE implementation (not the latest implementation there is, sadly). |
Beta Was this translation helpful? Give feedback.
-
Sorry for being dense. I'm having a bit of hard time understanding the first paragraph. At this point I guess that LLDAP will do its "OPAQUE magical comparison" having received clear password and having that password_blob stored in the database then it will respond to Authelia valid or invalid credential pair. And I am not sure of this last sentence since I see only a bunch of bytes. I opened this discussion because I wanted to code my own registration page for my, let's say, ecosystem backed by authelia and ldap with custom logic and invite system. But now I think I have to study how this OPAQUE thing works and maybe study LLDAP code |
Beta Was this translation helpful? Give feedback.
You can create a new user through LDAP, and set the password there. Or you can send a password modification request through LDAP for an existing user (password modify extended request I think?)
The advantage is that it'll be immediately compatible with FreeIPA, openLdap and others