[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Substring Indexes on userPassword Attribute
On Fri, May 31, 2013 at 10:13:12AM -0700, Tim Gustafson wrote:
> slapd.conf: line 82: substr index of attribute "userPassword" disallowed
And quite right too! You really don't want to make it any easier for an
attacker to search for weak passwords.
> Why is that? How can I do a search that would tell me which of my
> users is using an SHA-hashed password?
You don't need to modify the Slapd setup for that: just work with an LDIF
backup of the data (e.g. from slapcat). Use grep to extract the
userPassword attributes. You will then need a script to convert the values
from Base-64 encoding to text, and a regular expression to extract the
encoding scheme from the front of the text string.
That will let you count the number of users for each scheme. (e.g. using
sort and uniq).
If you really want to know which users use which scheme then replace grep
with an LDIF parser and extract both userPassword and uid at the same time.
The LDIF parser will take care of the Base-64 for you as well.
You should be able to do the whole job in less than 20 lines of Perl or Python.
Andrew
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/ +44 1628 782565 |
-----------------------------------------------------------------------