[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Antw: How to make ldap evaluate clear text password vs DES stored password

To: Ulrich.Windl@rz.uni-regensburg.de
Subject: Re: Antw: How to make ldap evaluate clear text password vs DES stored password
From: yokoyamy@jacic.or.jp
Date: Thu, 20 Sep 2018 20:54:26 +0900
Cc: openldap-technical@openldap.org, yokoyamy@jacic.or.jp
In-reply-to: <5BA35CA8020000A10002D57D@gwsmtp1.uni-regensburg.de>
References: <5BA35CA8020000A10002D57D@gwsmtp1.uni-regensburg.de>

Thanks for your advice.
but i have no chicese to use DES in this case.
i must do that even it'll be temporary.
 

in message "Antw: How to make ldap evaluate clear text password vs DES stored password",
"Ulrich Windl" <Ulrich.Windl@rz.uni-regensburg.de> wrote:
> Hi!
> 
> I think that traditional UNIX crypt passwords are obsolete for at least 10
> years.
> I also think that there are online services that could decode your DES-encoded
> challenges in a few seconds if not even faster...
> 
> What I mean to says is: Don't spend time in getting DES passwords, upgrade
> your security instead.
> 
> Modern systems encode passwords like this (note the difference in length!):
> :$6$CM21wofswJzjH.NfEtuX3m6Hjtx4H0mLq4MID3JqK254DCIw6Sjeh1kmI27DEwcAb8ilxb8KH08PmQIcTD8XloWFAXKmC/uuR1
> 
> See man crypt(3) for glibc: I knows about:
> Traditional DES-based
> Extended BSDI-style DES-based
> FreeBSD-style MD5-based
> SHA256 based
> SHA512 based
> OpenBSD-style Blowfish-based (bcrypt)
> 
> So I guess you get the idea...
> 
> Regards,
> Ulrich
> 
> >>> <yokoyamy@jacic.or.jp> schrieb am 20.09.2018 um 01:43 in Nachricht
> <201809192343.w8JNh4VT026857@mbox.securemx.jp>:
> > Hi.
> > 
> > I have user information in RDB which include user?id and password set.
> > 
> > I’ve been trying to use this RDB as backend database for openldap server.
> > 
> > Now,I can find user information in RDB through openldap.
> > 
> > However, I recognized I can’t use this user information for ldap login 
> > certification process.
> > 
> > LDAP’s userPassowrd stored in the RDB has been already DES hashed by 
> > original app. On the other hand, input password from ldapseach command line
> 
> > is CREARTEXT.
> > 
> > Now I’d like my openldap to change CREATEXT input password into DES hassed 
> > text so that they'll match for certification.
> > 
> > I've asked this topic on stackoverflow web site how to do that by server 
> > settings.But I couldn’t find proper directives to set.
> > 
> > How to make ldap evaluate clear text password vs DES stored password
> > 
> > Since then,I’ve been searching LDAP source files which is matching input 
> > password from ldapsearch command line against userPassword stored in backend
> 
> > RDB for slapd.
> > 
> > I’d like to change certification process of LDAP source file to make input 
> > password into DES hashed by using 2 characters of userPassword as its SALT.
> > 
> > I've already known that 2 characters at the beginning of userPasswordwas 
> > used as its SALT when it was hashed.
> > 
> > So the fact is ,my slapd can read userPassword from the RDB. I think I'll be
> 
> > able to find out what will be SALT to make input password into DES hashed 
> > text.
> > 
> > If I can make opeldap to act this way,I can use user's infomation in the RDB
> 
> > to ldap login inforomation wiht seamless.

References:
- Antw: How to make ldap evaluate clear text password vs DES stored password
  - From: "Ulrich Windl" <Ulrich.Windl@rz.uni-regensburg.de>

Prev by Date: Antw: How to make ldap evaluate clear text password vs DES stored password
Next by Date: Re: Trigger-like function
Index(es):
- Chronological
- Thread