[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: How to make ldap evaluate clear text password vs DES stored password
- To: yokoyamy@jacic.or.jp
- Subject: Re: How to make ldap evaluate clear text password vs DES stored password
- From: Olivier <Olivier.Nicole@cs.ait.ac.th>
- Date: Fri, 21 Sep 2018 15:29:00 +0700
- Cc: openldap-technical@openldap.org, dwhite@cafedemocracy.org, yokoyamy@jacic.or.jp
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.ait.ac.th; h= content-transfer-encoding:content-type:content-type:mime-version :message-id:date:date:in-reply-to:subject:subject:from:from :received:received:received; s=selector1; t=1537518542; x= 1539332943; bh=Sui/B/5BQ64uC+5AnemeUt09nZMtRGg6fBOkZr0bI0s=; b=I Eq7WEF7pIos2K7DQDrhelVFbaG1OWODEYMg2a/GTs4K6ittWWHNEQt2WzPoBsftG PQQdZy9yWkaOtypqQVyHcWjoEC0fHCzNw2qnpsABNUiyDAWIHM4DCG4+/riTfZQx YJrUsVFz0a8DMCN7+Exg+drKMIF4oXIwsMgqEzOuqg=
- In-reply-to: <201809210748.w8L7mRB9024205@mbox.securemx.jp> (yokoyamy@jacic.or.jp)
yokoyamy@jacic.or.jp writes:
> Hi.thanks for your advice.
>
> My cas is a bit complicated.
>
> DES hashed text stored in my RDB is actually cleartext for the RDB itself.
>
> slapd/ldapsearch show it as cleare text with base64 .
If your RDB is storing a DES password compatible for LDAP, it must store
a character sting of the form "{CRYPT}F6ojc88jnbdc".
The {CRYPT} part is telling LDAP that the string is a DES password. If
there is no {CRYPT} part, LDAP assumes that the string is a cleartext
password (this is confirmed by what you say below, you can connect if
you type the base64/DES text).
So you should:
- take whatever password text that is currently stored in RDB
- remove base64
- append {CRYPT} at the begining
- store that back in RDB
The RDB will now be storing a DES password that LDAP can use.
I suggest that you test with one account before changing all accounts.
Does any system use the password in RDB or only LDAP? If only LDAP, you
can modify all passwords. If other system use the password, you must
have one password in LDAP format ({CRYPT} no base64) and one password
for the other applications (no {CRYPT} and base64). Or you must find a
way for the RDB to present a different password to LDAP and to the other
application (for example, depending on the IP address of the client
asking for the password).
Best regards,
Olivier
>
> When i give original password,certification process returns invalid credential,
> but when i give DES hashed text which is same value of the RRD,certification succeed as you wrote.
>
>
> However,I'd like slapd/ldasearch to change input password to same value in the RDB instead of typing by myslf because,I can read the RDB directory but others can't.
>
>
>
> I've confirmed my crypt can hash the text into same value of text in theRDB.
>
> Any idea?
>
> in message "Re: How to make ldap evaluate clear text password vs DES stored password",
> Olivier <Olivier.Nicole@cs.ait.ac.th> wrote:
>> Hi,
>>
>> >LDAP’s userPassowrd stored in the RDB has been already DES hashed by
>> >original app. On the other hand, input password from ldapseach command
>> >line is CREARTEXT.
>> >
>> >I’d like to change certification process of LDAP source file to make input
>> >password into DES hashed by using 2 characters of userPassword as its
>> >SALT.
>>
>> That is how LDAP works if it knows that your passwrd is DES.
>>
>> But the encoding for DES by LDAP may be slightly different from the
>> encoding for DES by your original app.
>>
>> For a DES encrypted password, LDAP expects to see:
>> userpassword: {CRYPT}6FgwLHWxQzlgA
>> where 6F is the salt (LDAP knows that the 6F is the salt)
>>
>> So if your RDB only contains 6FgwLHWxQzlgA, you may have to modify that.
>>
>> Or I did not understood your question.
>>
>> Best regards,
>>
>> Olivier
>
>
>
--