When configuring the OpenLDAP directory connector connection configuration in Crowd, there is a section labeled "password encryption" (which should be re-labeled password hashing btw....)
When one has a directory connection for OpenLDAP how does authn in crowd actually work?
1) Is crowd just doing an LDAP bind against the target directory and letting the ldap server handle the hash comparison internally?
OR
2) is crowd loading the LDAP record's userPassword attribute and doing its own hash and comparison within crowd itself?
I see the "password encryption" available hashing options are DES, MD5, PLAINTEXT, SHA, SSHA. What effect does changing this option affect?
If the authn method is (1) above, why is this even relevant unless crowd is mutating user creds in the configured LDAP?
Why is the list of options for "password encryption" limited to this set of old algorithms. OpenLDAP supports many more than this.
What decides what shows up in this list? Does the "connector" interrogate the LDAP backend for supported methods? Is this a hardwired list? Is this limited to only the hash routines that Atlassian Crowd has implemented?
1) is correct, authentication uses an LDAP bind.
You say:
unless crowd is mutating user creds in the configured LDAP
and that's exactly when it's used, as an encoder for changing passwords, or adding new users.
The list is not generally queried from the server, but it is possible to add encoders through plugins.