[Date Prev][Date Next] [Chronological] [Thread] [Top]

Antw: How to make ldap evaluate clear text password vs DES stored password

To: "yokoyamy@jacic.or.jp" <yokoyamy@jacic.or.jp>, <openldap-technical@openldap.org>
Subject: Antw: How to make ldap evaluate clear text password vs DES stored password
From: "Ulrich Windl" <Ulrich.Windl@rz.uni-regensburg.de>
Date: Thu, 20 Sep 2018 10:39:04 +0200
Content-disposition: inline
In-reply-to: <201809192343.w8JNh4VT026857@mbox.securemx.jp>
References: <201809192343.w8JNh4VT026857@mbox.securemx.jp>

Hi!

I think that traditional UNIX crypt passwords are obsolete for at least 10
years.
I also think that there are online services that could decode your DES-encoded
challenges in a few seconds if not even faster...

What I mean to says is: Don't spend time in getting DES passwords, upgrade
your security instead.

Modern systems encode passwords like this (note the difference in length!):
:$6$CM21wofswJzjH.NfEtuX3m6Hjtx4H0mLq4MID3JqK254DCIw6Sjeh1kmI27DEwcAb8ilxb8KH08PmQIcTD8XloWFAXKmC/uuR1

See man crypt(3) for glibc: I knows about:
Traditional DES-based
Extended BSDI-style DES-based
FreeBSD-style MD5-based
SHA256 based
SHA512 based
OpenBSD-style Blowfish-based (bcrypt)

So I guess you get the idea...

Regards,
Ulrich

>>> <yokoyamy@jacic.or.jp> schrieb am 20.09.2018 um 01:43 in Nachricht
<201809192343.w8JNh4VT026857@mbox.securemx.jp>:
> Hi.
> 
> I have user information in RDB which include user‑id and password set.
> 
> I’ve been trying to use this RDB as backend database for openldap server.
> 
> Now,I can find user information in RDB through openldap.
> 
> However, I recognized I can’t use this user information for ldap login 
> certification process.
> 
> LDAP’s userPassowrd stored in the RDB has been already DES hashed by 
> original app. On the other hand, input password from ldapseach command line

> is CREARTEXT.
> 
> Now I’d like my openldap to change CREATEXT input password into DES hassed 
> text so that they'll match for certification.
> 
> I've asked this topic on stackoverflow web site how to do that by server 
> settings.But I couldn’t find proper directives to set.
> 
> How to make ldap evaluate clear text password vs DES stored password
> 
> Since then,I’ve been searching LDAP source files which is matching input 
> password from ldapsearch command line against userPassword stored in backend

> RDB for slapd.
> 
> I’d like to change certification process of LDAP source file to make input 
> password into DES hashed by using 2 characters of userPassword as its SALT.
> 
> I've already known that 2 characters at the beginning of userPasswordwas 
> used as its SALT when it was hashed.
> 
> So the fact is ,my slapd can read userPassword from the RDB. I think I'll be

> able to find out what will be SALT to make input password into DES hashed 
> text.
> 
> If I can make opeldap to act this way,I can use user's infomation in the RDB

> to ldap login inforomation wiht seamless.

Follow-Ups:
- Re: Antw: How to make ldap evaluate clear text password vs DES stored password
  - From: yokoyamy@jacic.or.jp

References:
- How to make ldap evaluate clear text password vs DES stored password
  - From: yokoyamy@jacic.or.jp

Prev by Date: Trigger-like function
Next by Date: Re: Antw: How to make ldap evaluate clear text password vs DES stored password
Index(es):
- Chronological
- Thread