[Date Prev][Date Next] [Chronological] [Thread] [Top]

ppolicy_hash_cleartext also hashing hashes?

To: OpenLDAP Software List <openldap-software@OpenLDAP.org>
Subject: ppolicy_hash_cleartext also hashing hashes?
From: Tim Tassonis <timtas@cubic.ch>
Date: Fri, 28 Jul 2006 11:23:18 +0200
User-agent: Thunderbird 1.5.0.2 (X11/20060420)

Hi all

I seem to have a problem when using the ppolicy_hash_cleartext directive from the ppolicy overlay.

When is set a password like this:

ldapmodify << EOF
...
userPassword: thepassword

EOF

all works well and I get a hashed value in the directory. When I set the password using ldappasswd, it gets set correctly, too. Then, I wanted to import entries from a sunone directory into my openldap server, where passwords where stored as SSHA hashes:

ldapsearch -h sunone | ldapmodify -h openldap

and that made the ppolicy module apparently hashing the already hashed values from the sunone server, none of the passwords were working afterwards. After disabling ppolicy_hash_cleartext and re-importing, they all worked fine.

Is it the case that, when having ppolicy_hash_cleartext enabled, you cannot simply set passwords using

ldapmodify << EOF
...
userPassword: {SSHA}ETo0sDZO81GuyfenQ6xTC+Kb8gzSbBBj

EOF

, as they always will be rehashed? And if this is the case, is this considered a bug or a given fact. I would have thought the overlay could find out by checking the string for an initial {ALG}, that the password given is already hashed, like the password verifying routine assumedly has to.

Bye
Tim

Follow-Ups:
- Re: ppolicy_hash_cleartext also hashing hashes?
  - From: Andreas Hasenack <ahasenack@terra.com.br>

Prev by Date: Socket problem with smbk5pwd on freebsd
Next by Date: Re: Socket problem with smbk5pwd on freebsd
Index(es):
- Chronological
- Thread