[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: base_64 encoding

To: Thierry Lacoste <lacoste@univ-paris12.fr>
Subject: Re: base_64 encoding
From: Michael Ströder <michael@stroeder.com>
Date: Fri, 26 Jan 2007 15:37:00 +0100
Cc: openldap-software@openldap.org
In-reply-to: <20070126115101.M88201@ssl.univ-paris12.fr>
References: <20070126115101.M88201@ssl.univ-paris12.fr>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.2pre) Gecko/20070111 SeaMonkey/1.1

Thierry Lacoste wrote:
> but when you do a slapcat or ldapsearch and the output is in LDIF format, 
> the userpassword will be base_64 encoded, and it will look like this: 
>         userPassword:: e1NIQX1mRFlIdU9ZYnp4bEU2ZWhRT21ZUElmUzI4L0U9
> 
> Just out of curiosity why is it further encoded as everything in
> the userPassword is already base_64 encoded except the string {SHA}?

IIRC these tools try to hide the userPassword value from being viewed in
case they contain clear-text passwords. It's kind of hard-coded. This
protects only against a good admin accidentally reading passwords he
don't want to know.

Note the :: before the value. This LDIF syntax indicates that the value
is base64-encoded. For reading LDIF files I strongly recommend to use a
decent LDIF parser available for your favorite scripting language
instead of implementing naive string parsing yourself.

Ciao, Michael.

References:
- base_64 encoding
  - From: "Thierry Lacoste" <lacoste@univ-paris12.fr>

Prev by Date: How to force SSL (not STARTTLS) using environment variables in OpenLDAP 2.3.x
Next by Date: Re: sessionlog vs syncprov_sessionlog / missing delete phase
Index(es):
- Chronological
- Thread