[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SSHA Encryption

To: Openldap list <openldap-software@OpenLDAP.org>, Daniel Merino <daniel.merino@unavarra.es>
Subject: Re: SSHA Encryption
From: Chuck Theobald <chuckt@darkwing.uoregon.edu>
Date: Fri, 12 Nov 2004 09:23:29 -0800
In-reply-to: <4194B6A0.8090606@unavarra.es>
References: <4194AB50.8050602@unavarra.es> <4194B216.3000805@symas.com> <4194B6A0.8090606@unavarra.es>

Daniel,

Use slappasswd to produce a hash, complete with the {SSHA} (or whatever) prefix, then copy and paste this string into the appropriate ldapmodify prompt.

# slappasswd -h '{crypt}'   // if you *must* use crypt
New password:
Re-enter new password:
{CRYPT}m1bKwhFjCg09Y
mansfield{22}#

ssha is more secure than crypt and produces more impressive hashes, so this is recommended over crypt:

mansfield{22}# slappasswd
New password:
Re-enter new password:
{SSHA}H+hJ0vXkSZuMxR/1h1u3ax6oZUky/VhM
mansfield{23}#

Now, issue the ldapmodify command:

mansfield{25}# /usr/local/bin/ldapmodify -Z -x -D cn=mangler,dc=mydomain,dc=uoregon,dc=edu -c -W Enter LDAP Password: dn: uid=chuck,ou=people,dc=mydomain,dc=uoregon,dc=edu changetype: modify userPassword: {SSHA}H+hJ0vXkSZuMxR/1h1u3ax6oZUky/VhM

Regards,
Chuck

At 05:12 AM 11/12/2004, you wrote:

Thank you for the advice, but I remember that time ago I modified a record and if I writed {crypt} before the password, then automatically it was added encrypted. That's what I'm looking for.

I can't use ldappasswd, because I'm just trying to do this for aplying it after to the Novell LDAP Library for Java, and they change the password with a modification (delete & add), but they don't talk nothing about encryption, so I think that could be a LDAP matter.
I'm really lost...
Thank you.
Howard Chu wrote:
Daniel Merino wrote:
Hi all.
I have LDAP records with their userPassword field encrypted with SSHA. When I do a ldapsearch, I receive something like this:
userpassword={SSHA}cYH1lop+FfWT5Ttua1h8P7x/xEZePQsLP2KIaA==
But when I do a ldapmodify, delete the old password and add the new, i.e.:
add: userpassword
userpassword: 828f656
-
I change the password, but it doesn't encrypt it and the next ldapsearch that I do shows this field in plain text.
That is the way ldapmodify works. Use ldappasswd to change passwords.
--
Daniel Merino
daniel.merino@unavarra.es
Tfno: 948-168951 - Sección de Gestión
Servicio Informático - Universidad Pública de Navarra.


Chuck Theobald
System Administrator
The Robert and Beverly Lewis Center for Neuroimaging
University of Oregon
P: 541-346-0343
F: 541-346-0345

References:
- SSHA Encryption
  - From: Daniel Merino <daniel.merino@unavarra.es>
- Re: SSHA Encryption
  - From: Howard Chu <hyc@symas.com>
- Re: SSHA Encryption
  - From: Daniel Merino <daniel.merino@unavarra.es>

Prev by Date: Whats the best way to get started
Next by Date: Crash during SASL canonicalization
Index(es):
- Chronological
- Thread