Re: SSHA hash are stores as '{ssha}......' and '{SSHA}......'

[Matthias Apitz <guru@unixarea.de>]

El día Tuesday, September 29, 2015 a las 08:22:36AM +0100, Howard Chu escribió:

> > We are authenticating from some Java written software against an
> > OpenLDAP system by reading the users 'userPassword' LDAP attribute,
> > calculating the clear text password against the SSHA hash string.
> 
> That's the wrong way to authenticate against credentials stored in an LDAP 
> directory. You should just do an LDAP Bind.

I do not know (the Java classes have beed written by others) why we do
not just doe bind, What what is wrong with our method.

> > It turned out that some (a few number) of these hash are stored  in the
> > form:
> >
> > userPassword:: e3NzaGF9R2tSOU91SGhOakFoZzBWeVNtY0JHRUE5b2NMVU5GZWZnY0VaMXc9PQ==
> >
> > which decodes to:
> >
> > $ echo 'e3NzaGF9R2tSOU91SGhOakFoZzBWeVNtY0JHRUE5b2NMVU5GZWZnY0VaMXc9PQ==' | openssl base64 -d
> > {ssha}GkR9OuHhNjAhg0VySmcBGEA9ocLUNFefgcEZ1w==
> >
> > i.e. with SSHA in small letters. It's only 1 of thousand users having
> > the tag as '{ssha}'.
> >
> > Why is this?
> 
> Probably you have some clients updating their entries with hashed passwords 
> instead of letting slapd do all the hashing. Again, that is not a good practice.

This part is not below our control. The LDAP is managed by some customer
and I *think* the use some Perl script to create the user credentials in
LDAP, calculating tha SSHA hash in advance.

Thanks for your feedback in any case.

	matthias

>    -- Howard Chu
>    CTO, Symas Corp.           http://www.symas.com
>    Director, Highland Sun     http://highlandsun.com/hyc/
>    Chief Architect, OpenLDAP  http://www.openldap.org/project/

-- 
Matthias Apitz, ✉ guru@unixarea.de, 🌐 http://www.unixarea.de/  ☎ +49-176-38902045
No! Nein! ¡No! Όχι! -- Ευχαριστούμε!