[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: disable password hash



I'm a little confused about cleartext password use in slapd.  This patch
seems to be what I need to get things to work.  Am I mistaken?
The patch causes {CLEARTEXT} scheme to be treated just as the other schemes.

This is needed in cases where we want the back-end to handle the cleartext
passwords.  As in a perl module I am writing to add/modify Win2k users.
--Kervin

> Looks like a bug, definitely. Should probably use the BER_BVC macro in
> there anyway.
>
>  -- Howard Chu
>  Chief Architect, Symas Corp.       Director, Highland Sun
>  http://www.symas.com               http://highlandsun.com/hyc
>  Symas: Premier OpenSource Development and Support
>
>> -----Original Message-----
>> From: kervin@blueprint-tech.com [mailto:kervin@blueprint-tech.com]
>> Sent: Wednesday, May 22, 2002 6:48 PM
>> To: hyc@highlandsun.com
>> Cc: kervin@blueprint-tech.com; openldap-software@OpenLDAP.org
>> Subject: RE: disable password hash
>>
>>
>> Hi,
>>
>> looked into it.  'password-hash {CLEARTEXT}' fails and I have '#define
>> SLAPD_CLEARTEXT 1' set I'm sure.
>> I think the cleartext schema is always ingored since in
>> libries/libutil/passwd.c, in get_schemes()
>> 	for( i=0; pw_schemes[i].name.bv_val; i++) {
>> 		if( pw_schemes[i].name.bv_len == 0 ) continue;
>>
>> 		if( strncasecmp(scheme, pw_schemes[i].name.bv_val,
>> 			pw_schemes[i].name.bv_len) == 0 )
>> 		{
>> 			return &pw_schemes[i];
>> 		}
>> 	}
>>
>> 	return NULL;
>>
>>
>> but cleartext is defined as ...
>>
>> #ifdef SLAPD_CLEARTEXT
>> 	/* psuedo scheme */
>> 	{ {0, "{CLEARTEXT}"}, NULL, NULL },
>> #endif
>>
>>
>> cleartext's name.bv_len is *always* zero, therefore fails.
>> Shouldn't this be
>>
>>
>> #ifdef SLAPD_CLEARTEXT
>> 	/* psuedo scheme */
>> 	{ {sizeof("{CLEARTEXT}")-1, "{CLEARTEXT}"}, NULL, NULL },
>> #endif
>>
>> like the others?
>>
>> --Kervin
>>
>>
>> >> -----Original Message-----
>> >> From: owner-openldap-software@OpenLDAP.org
>> >> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of
>> >> kervin@blueprint-tech.com
>> >
>> >> I'd like to disable password hashing in slapd.  Does anyone know
>> >> have to do this?
>> >
>> > Yes, but (seems to be the week for this) - why?
>> >
>> >> I've seen the "password-hash" slapd.conf option in the slapd.conf
>> >> man page, but it does not allow me to set the hash function to
>> >> "NONE", which is basically what I want to do.
>> >>
>> >> Any ideas?
>> >
>> > Use the Source, luke...
>> >>
>> >> --Kervin
>> >>
>> >
>> > Use the {CLEARTEXT} scheme. slapd must have been configured with
>> > --enable-cleartext for this to work.
>> >
>> >  -- Howard Chu
>> >  Chief Architect, Symas Corp.       Director, Highland Sun
>> >  http://www.symas.com               http://highlandsun.com/hyc
>> >  Symas: Premier OpenSource Development and Support


diff -ruN oltmp2/include/lutil_cleartext.h oltmp/include/lutil_cleartext.h
--- oltmp2/include/lutil_cleartext.h	Wed Dec 31 19:00:00 1969
+++ oltmp/include/lutil_cleartext.h	Wed May 22 23:40:33 2002
@@ -0,0 +1,12 @@
+#ifndef _LUTIL_CLEARTEXT_H_
+#define _LUTIL_CLEARTEXT_H_
+
+#include <lber_types.h>
+
+LDAP_BEGIN_DECL
+
+#define LUTIL_CLEARTEXT_PASSWORD_BYTES (32*sizeof(char))
+
+LDAP_END_DECL
+
+#endif /* _LUTIL_CLEARTEXT_H_ */
diff -ruN oltmp2/libraries/liblutil/passwd.c oltmp/libraries/liblutil/passwd.c
--- oltmp2/libraries/liblutil/passwd.c	Wed May 22 23:38:00 2002
+++ oltmp/libraries/liblutil/passwd.c	Wed May 22 23:36:22 2002
@@ -64,7 +64,10 @@
 
 #include "lutil_md5.h"
 #include "lutil_sha1.h"
-#include "lutil.h"
+#include "lutil.h"
+#ifdef SLAPD_CLEARTEXT
+	#include "lutil_cleartext.h"
+#endif
 
 static const unsigned char crypt64[] =
 	"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890./";
@@ -119,6 +122,13 @@
 	const struct berval *passwd,
 	const struct berval *cred );
 #endif
+
+#ifdef SLAPD_CLEARTEXT
+static int chk_cleartext(
+	const struct pw_scheme *scheme,
+	const struct berval *passwd,
+	const struct berval *cred );
+#endif
 
 #ifdef SLAPD_SPASSWD
 static int chk_sasl(
@@ -173,6 +183,12 @@
 	const struct pw_scheme *scheme,
 	const struct berval *passwd );
 #endif
+
+#ifdef SLAPD_CLEARTEXT
+static struct berval *hash_cleartext(
+	const struct pw_scheme *scheme,
+	const struct berval *passwd );
+#endif
 
 #ifdef SLAPD_CRYPT
 static struct berval *hash_crypt(
@@ -212,7 +228,7 @@
 
 #ifdef SLAPD_CLEARTEXT
 	/* psuedo scheme */
-	{ {0, "{CLEARTEXT}"}, NULL, NULL },
+	{ {sizeof("{CLEARTEXT}")-1, "{CLEARTEXT}"}, chk_cleartext, hash_cleartext },
 #endif
 
 	{ {0, NULL}, NULL, NULL }
@@ -577,6 +593,32 @@
 	ber_memfree(orig_pass);
 	return rc ? 1 : 0;
 }
+
+#ifdef SLAPD_CLEARTEXT
+static int chk_cleartext(
+	const struct pw_scheme *sc,
+	const struct berval * passwd,
+	const struct berval * cred )
+{
+	int rc;
+	unsigned char *orig_pass = NULL;
+
+	/* base64 un-encode password */
+	orig_pass = (unsigned char *) ber_memalloc( (size_t) (
+		LUTIL_BASE64_DECODE_LEN(passwd->bv_len) + 1) );
+
+	rc = lutil_b64_pton(passwd->bv_val, orig_pass, passwd->bv_len);
+	if ( rc < 0 ) {
+		ber_memfree(orig_pass);
+		return -1;
+	}
+
+	/* compare */
+	rc = memcmp((char *)orig_pass, (char *)cred->bv_val, cred->bv_len);
+	ber_memfree(orig_pass);
+	return rc ? 1 : 0;
+}
+#endif
 
 static int chk_md5(
 	const struct pw_scheme *sc,
@@ -1073,6 +1115,24 @@
 	return pw_string64( scheme, &digest, NULL );
 ;
 }
+
+#ifdef SLAPD_CLEARTEXT
+static struct berval *hash_cleartext(
+	const struct pw_scheme *scheme,
+	const struct berval  *passwd )
+{
+	unsigned char   buff[LUTIL_CLEARTEXT_PASSWORD_BYTES];
+
+	struct berval digest;
+
+	digest.bv_val = buff;
+	digest.bv_len = sizeof(buff);
+
+	memcpy(&buff, passwd->bv_val, sizeof(buff));
+
+	return pw_string64( scheme, &digest, NULL );
+}
+#endif
 
 #ifdef SLAPD_LMHASH 
 /* pseudocode from RFC2433