[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: disable password hash
- To: <hyc@highlandsun.com>
- Subject: RE: disable password hash
- From: kervin@blueprint-tech.com
- Date: Wed, 22 May 2002 23:49:01 -0400 (EDT)
- Cc: <openldap-devel@OpenLDAP.org>
- Importance: Normal
- In-reply-to: <NMEFLNHODBAOPDKNNJALOEEOCOAA.hyc@highlandsun.com>
- References: <10658.163.118.3.50.1022118453.squirrel@blueprint-tech.com> <NMEFLNHODBAOPDKNNJALOEEOCOAA.hyc@highlandsun.com>
I'm a little confused about cleartext password use in slapd. This patch
seems to be what I need to get things to work. Am I mistaken?
The patch causes {CLEARTEXT} scheme to be treated just as the other schemes.
This is needed in cases where we want the back-end to handle the cleartext
passwords. As in a perl module I am writing to add/modify Win2k users.
--Kervin
> Looks like a bug, definitely. Should probably use the BER_BVC macro in
> there anyway.
>
> -- Howard Chu
> Chief Architect, Symas Corp. Director, Highland Sun
> http://www.symas.com http://highlandsun.com/hyc
> Symas: Premier OpenSource Development and Support
>
>> -----Original Message-----
>> From: kervin@blueprint-tech.com [mailto:kervin@blueprint-tech.com]
>> Sent: Wednesday, May 22, 2002 6:48 PM
>> To: hyc@highlandsun.com
>> Cc: kervin@blueprint-tech.com; openldap-software@OpenLDAP.org
>> Subject: RE: disable password hash
>>
>>
>> Hi,
>>
>> looked into it. 'password-hash {CLEARTEXT}' fails and I have '#define
>> SLAPD_CLEARTEXT 1' set I'm sure.
>> I think the cleartext schema is always ingored since in
>> libries/libutil/passwd.c, in get_schemes()
>> for( i=0; pw_schemes[i].name.bv_val; i++) {
>> if( pw_schemes[i].name.bv_len == 0 ) continue;
>>
>> if( strncasecmp(scheme, pw_schemes[i].name.bv_val,
>> pw_schemes[i].name.bv_len) == 0 )
>> {
>> return &pw_schemes[i];
>> }
>> }
>>
>> return NULL;
>>
>>
>> but cleartext is defined as ...
>>
>> #ifdef SLAPD_CLEARTEXT
>> /* psuedo scheme */
>> { {0, "{CLEARTEXT}"}, NULL, NULL },
>> #endif
>>
>>
>> cleartext's name.bv_len is *always* zero, therefore fails.
>> Shouldn't this be
>>
>>
>> #ifdef SLAPD_CLEARTEXT
>> /* psuedo scheme */
>> { {sizeof("{CLEARTEXT}")-1, "{CLEARTEXT}"}, NULL, NULL },
>> #endif
>>
>> like the others?
>>
>> --Kervin
>>
>>
>> >> -----Original Message-----
>> >> From: owner-openldap-software@OpenLDAP.org
>> >> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of
>> >> kervin@blueprint-tech.com
>> >
>> >> I'd like to disable password hashing in slapd. Does anyone know
>> >> have to do this?
>> >
>> > Yes, but (seems to be the week for this) - why?
>> >
>> >> I've seen the "password-hash" slapd.conf option in the slapd.conf
>> >> man page, but it does not allow me to set the hash function to
>> >> "NONE", which is basically what I want to do.
>> >>
>> >> Any ideas?
>> >
>> > Use the Source, luke...
>> >>
>> >> --Kervin
>> >>
>> >
>> > Use the {CLEARTEXT} scheme. slapd must have been configured with
>> > --enable-cleartext for this to work.
>> >
>> > -- Howard Chu
>> > Chief Architect, Symas Corp. Director, Highland Sun
>> > http://www.symas.com http://highlandsun.com/hyc
>> > Symas: Premier OpenSource Development and Support
diff -ruN oltmp2/include/lutil_cleartext.h oltmp/include/lutil_cleartext.h
--- oltmp2/include/lutil_cleartext.h Wed Dec 31 19:00:00 1969
+++ oltmp/include/lutil_cleartext.h Wed May 22 23:40:33 2002
@@ -0,0 +1,12 @@
+#ifndef _LUTIL_CLEARTEXT_H_
+#define _LUTIL_CLEARTEXT_H_
+
+#include <lber_types.h>
+
+LDAP_BEGIN_DECL
+
+#define LUTIL_CLEARTEXT_PASSWORD_BYTES (32*sizeof(char))
+
+LDAP_END_DECL
+
+#endif /* _LUTIL_CLEARTEXT_H_ */
diff -ruN oltmp2/libraries/liblutil/passwd.c oltmp/libraries/liblutil/passwd.c
--- oltmp2/libraries/liblutil/passwd.c Wed May 22 23:38:00 2002
+++ oltmp/libraries/liblutil/passwd.c Wed May 22 23:36:22 2002
@@ -64,7 +64,10 @@
#include "lutil_md5.h"
#include "lutil_sha1.h"
-#include "lutil.h"
+#include "lutil.h"
+#ifdef SLAPD_CLEARTEXT
+ #include "lutil_cleartext.h"
+#endif
static const unsigned char crypt64[] =
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890./";
@@ -119,6 +122,13 @@
const struct berval *passwd,
const struct berval *cred );
#endif
+
+#ifdef SLAPD_CLEARTEXT
+static int chk_cleartext(
+ const struct pw_scheme *scheme,
+ const struct berval *passwd,
+ const struct berval *cred );
+#endif
#ifdef SLAPD_SPASSWD
static int chk_sasl(
@@ -173,6 +183,12 @@
const struct pw_scheme *scheme,
const struct berval *passwd );
#endif
+
+#ifdef SLAPD_CLEARTEXT
+static struct berval *hash_cleartext(
+ const struct pw_scheme *scheme,
+ const struct berval *passwd );
+#endif
#ifdef SLAPD_CRYPT
static struct berval *hash_crypt(
@@ -212,7 +228,7 @@
#ifdef SLAPD_CLEARTEXT
/* psuedo scheme */
- { {0, "{CLEARTEXT}"}, NULL, NULL },
+ { {sizeof("{CLEARTEXT}")-1, "{CLEARTEXT}"}, chk_cleartext, hash_cleartext },
#endif
{ {0, NULL}, NULL, NULL }
@@ -577,6 +593,32 @@
ber_memfree(orig_pass);
return rc ? 1 : 0;
}
+
+#ifdef SLAPD_CLEARTEXT
+static int chk_cleartext(
+ const struct pw_scheme *sc,
+ const struct berval * passwd,
+ const struct berval * cred )
+{
+ int rc;
+ unsigned char *orig_pass = NULL;
+
+ /* base64 un-encode password */
+ orig_pass = (unsigned char *) ber_memalloc( (size_t) (
+ LUTIL_BASE64_DECODE_LEN(passwd->bv_len) + 1) );
+
+ rc = lutil_b64_pton(passwd->bv_val, orig_pass, passwd->bv_len);
+ if ( rc < 0 ) {
+ ber_memfree(orig_pass);
+ return -1;
+ }
+
+ /* compare */
+ rc = memcmp((char *)orig_pass, (char *)cred->bv_val, cred->bv_len);
+ ber_memfree(orig_pass);
+ return rc ? 1 : 0;
+}
+#endif
static int chk_md5(
const struct pw_scheme *sc,
@@ -1073,6 +1115,24 @@
return pw_string64( scheme, &digest, NULL );
;
}
+
+#ifdef SLAPD_CLEARTEXT
+static struct berval *hash_cleartext(
+ const struct pw_scheme *scheme,
+ const struct berval *passwd )
+{
+ unsigned char buff[LUTIL_CLEARTEXT_PASSWORD_BYTES];
+
+ struct berval digest;
+
+ digest.bv_val = buff;
+ digest.bv_len = sizeof(buff);
+
+ memcpy(&buff, passwd->bv_val, sizeof(buff));
+
+ return pw_string64( scheme, &digest, NULL );
+}
+#endif
#ifdef SLAPD_LMHASH
/* pseudocode from RFC2433