OpenLDAP Faq-O-Matic : OpenLDAP Software FAQ : Configuration : SLAPD Configuration : Passwords :
What are {SHA} and {SSHA} passwords and how do I generate them?
What are RFC 2307 hashed user passwords?.
Netscape provides a technical note on how to generate {SHA} and
{SSHA} password values. See: http://developer.netscape.com:80/docs/technote/ldap/pass_sha.html
#! /usr/bin/perl
#
# This small script generates an Seeded SHA1 hash of 'secret'
# (using the seed "salt") for use as a userPassword or rootpw value.
#
use Digest::SHA1;
use MIME::Base64;
$ctx = Digest::SHA1->new;
$ctx->add('secret');
$ctx->add('salt');
$hashedPasswd = '{SSHA}' . encode_base64($ctx->digest . 'salt' ,'');
print 'userPassword: ' . $hashedPasswd . "\n";
#! /usr/bin/perl
#
# This small script generates an SHA1 hash of 'secret' for use
# as a userPassword or rootpw value.
#
use Digest::SHA1;
use MIME::Base64;
$ctx = Digest::SHA1->new;
$ctx->add('secret');
$hashedPasswd = '{SHA}' . encode_base64($ctx->digest,'');
print 'userPassword: ' . $hashedPasswd . "\n";First of all, make use of the 'slappasswd' utility to generate a password, so you can check if your PHP routines are correct. (The slappasswd utility is part of the openldap distribution).
The command
slappasswd -h {SHA} -s abcd123
will generate
{SHA}fDYHuOYbzxlE6ehQOmYPIfS28/E=
so, in your entry, an attribute like this could be specified:
userPassword: {SHA}fDYHuOYbzxlE6ehQOmYPIfS28/E=
but when you do a slapcat or ldapsearch and the output is in LDIF format, the userpassword will be base_64 encoded, and it will look like this:
userPassword:: e1NIQX1mRFlIdU9ZYnp4bEU2ZWhRT21ZUElmUzI4L0U9Confused yet ?
Now enter PHP (< 5). You would like to generate a {SHA} password from a cleartext password that was entered in a FORM by a user, which is held in $pass. It would be easy to do:
$userpassword = "{SHA}" . sha1( $pass );
but that will generate:
{SHA}7c3607b8e61bcf1944e9e8503a660f21f4b6f3f1
and altough that looks nice, it won't work.
That's because the PHP sha1() function delivers a Hex encoded string.
In PHP >= 5 you can set a boolean, to omit that:
$userpassword = "{SHA}" . sha1( $pass, TRUE );
but in PHP < 5 you need to do this:
$userpassword = "{SHA}" . pack( "H*", sha1( $pass ) );
this will generate:
something very ugly that I can't represent here, since it is binary.now to avoid putting the binary stuff into the directory, you need to base_64 encode it, like this:
$userpassword = "{SHA}" . base64_encode( pack( "H*", sha1( $pass ) ) );
this will, finally, generate
{SHA}fDYHuOYbzxlE6ehQOmYPIfS28/E=
and that value should be put into the userPassword attribute.Ace (http://www.qwido.net)
#!/usr/bin/env ruby
# Ruby script to generate SSHA (Good for LDAP)
require 'sha1'
require 'base64'
hash = "{SSHA}"+Base64.encode64(Digest::SHA1.digest('secret'+'salt')+'salt').chomp!
puts 'userPassword: '+hash+"\n"#!/usr/bin/env ruby
require 'sha1' require 'base64' hash = "{SSHA}"+Base64.encode64(Digest::SHA1.digest('secret'+'salt')+'salt').chomp! puts 'userPassword: '+hash+"\n"
import sha from base64 import b64encode ctx = sha.new( password ) hash = "{SHA}" + b64encode( ctx.digest() )
And salted SHA (guessing from the perl-examples, haven't tried it):
import sha from base64 import b64encode ctx = sha.new( password ) ctx.update( salt ) hash = "{SSHA}" + b64encode( ctx.digest() + salt )
2008/01/10 - Reed O'Brien
SSHA python seeded salted sha password
import hashlib
from base64 import urlsafe_b64encode as encode
from base64 import urlsafe_b64decode as decode
def makeSecret(password):
salt = os.urandom(4)
h = hashlib.sha1(password)
h.update(salt)
return "{SSHA}" + encode(h.digest() + salt)
def checkPassword(challenge_password, password):
challenge_bytes = decode(challenge_password[6:])
digest = challenge_bytes[:20]
salt = challenge_bytes[20:]
hr = hashlib.sha1(password)
hr.update(salt)
return digest == hr.digest()
>>> challenge_password = makeSecret('testing123')
>>> challenge_password
'{SSHA}0c0blFTXXNuAMHECS4uxrj3ZieMoWImr'
>>> checkPassword(challenge_password, 'testing123')
True
>>> checkPassword(challenge_password, 'testing124')
False
Previous Python method to generate SHA and SSHA password is wrong and works partially with openldap, don't use urlsafe_b64encode
from base64 module who replace "/" by _ and "+" by "-". Use instead the encodestring method from the same module.
So the previous code is :
import hashlib
from base64 import encodestring as encode
from base64 import decodestring as decode
def makeSecret(password):
salt = os.urandom(4)
h = hashlib.sha1(password)
h.update(salt)
return "{SSHA}" + encode(h.digest() + salt)
def checkPassword(challenge_password, password):
challenge_bytes = decode(challenge_password[6:])
digest = challenge_bytes[:20]
salt = challenge_bytes[20:]
hr = hashlib.sha1(password)
hr.update(salt)
return digest == hr.digest()
Note that base64.encodestring() appends a newline ("\n") to its output (see http://docs.python.org/library/base64.html), so makeSecret() should probably be modified to strip that newline:
def makeSecret(password):
salt = os.urandom(4)
h = hashlib.sha1(password)
h.update(salt)
return "{SSHA}" + encode(h.digest() + salt){:-1]
Forgive the formatting errors and typos in my previous edit. Here's what I meant to write
(note change from open brace to open bracket in to the last line):
Note that base64.encodestring() appends a newline ("\n") to its output (see http://docs.python.org/library/base64.html),
so makeSecret() should probably be modified to strip that newline:
def makeSecret(password):
salt = os.urandom(4)
h = hashlib.sha1(password)
h.update(salt)
return "{SSHA}" + encode(h.digest() + salt)[:-1]If you are stuck on Windows, using the OpenSSL for Windows package: http://gnuwin32.sourceforge.net/packages/openssl.htm The below batch script can generate a {SHA} hash suitable for LDAP passwords: makeshahash.bat: @echo off echo|set /p="{SHA}" echo|set /p="%1" | openssl dgst -sha1 -binary | openssl enc -base64 > makeshahash.bat secret {SHA}5en6G6MezRroT3XKqkdPOmY/BfQ=
Here is an update for Python-based hashing and testing. These functions worked on Ubuntu 12.04 + OpenLDAP 2.4.28-1.1ubuntu4. https://gist.github.com/rca/7217540 Thanks!