[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: why is openldap not recognizing MD5 passwords?



Jonathan Abbey wrote:
On Thu, Jan 04, 2007 at 09:55:25PM +0100, Pierangelo Masarati wrote:

| This doesn't look like a MD5 password; the value slapd expects is | something like
| | slappasswd -h '{md5}' -s testpw
| {MD5}ju4+/d4ets9mOaWISDYr9A==
| | Your value looks much like some extension to crypt(3) that allows to use | strong(er) encryption than usual crypt(3) by providing a specially | crafted salt. In that case, assuming you compiled slapd with {CRYPT} | support using the same crypt(3) that generated that hash you should be | able to use that secret by using the {CRYPT} scheme instead of {MD5}. | You need to realize, of course, that this data is not portable.


That's a bit strong.  The algorithm in question is the MD5Crypt
algorithm, which originated in FreeBSD, and is now supported in
FreeBSD, OpenBSD, Linux, Solaris, and Mac OS X, among others,
presumably, as well as in Apache (though very slightly mutated in
Apache, for no good reason).  In addition, there are libraries
available in lots of languages which implement this algorithm.

The MD5Crypt algorithm has a couple of nice properties which make it
far stronger than simple MD5 usage.

First, it is salted, so as to resist dictionary attacks against
leaked hash text.

Second, it incorporates 1000 rounds of md5 so as to try and increase
the cpu requirements for a password match, again for the purpose of
resisting attack against the hash text.  This level of CPU intensity
is hardly meaningful in current systems, but it is some small level of
protection still.

A good discussion of secure password formats can be found at

  http://www.openbsd.org/papers/bcrypt-paper.ps

for those interested.

It's a pity that OpenLDAP does not support MD5Crypt, but for the
present purposes, it's probably more a pity that it is so easy for
naive users to confuse MD5 hashing with MD5Crypt.

OpenLDAP contains no cryptography code itself. If your native system's C library has a crypt() function that supports MD5Crypt, then configuring OpenLDAP with --enable-crypt will support it. Or, if you explicitly provide some other library that supplies the proper crypt() function, we'll use it. As far as we're concerned, "crypt" means "whatever your crypt() function does," it does not necessarily mean the original Unix 56 bit DES crypt.


Agreed, it's a shame that people don't understand the difference between "MD5" and "crypt based on MD5."

--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/