[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: How to make ldap evaluate clear text password vs DES stored password
Hi.
you've gat solve my problem.Thank you so much.
in message "Re: How to make ldap evaluate clear text password vs DES stored password",
Olivier <Olivier.Nicole@cs.ait.ac.th> wrote:
> yokoyamy@jacic.or.jp writes:
>
> > Hi.thanks for your advice.
> >
> > My cas is a bit complicated.
> >
> > DES hashed text stored in my RDB is actually cleartext for the RDB itself.
> >
> > slapd/ldapsearch show it as cleare text with base64 .
>
> If your RDB is storing a DES password compatible for LDAP, it must store
> a character sting of the form "{CRYPT}F6ojc88jnbdc".
>
> The {CRYPT} part is telling LDAP that the string is a DES password. If
> there is no {CRYPT} part, LDAP assumes that the string is a cleartext
> password (this is confirmed by what you say below, you can connect if
> you type the base64/DES text).
>
> So you should:
>
> - take whatever password text that is currently stored in RDB
> - remove base64
> - append {CRYPT} at the begining
> - store that back in RDB
>
> The RDB will now be storing a DES password that LDAP can use.
>
> I suggest that you test with one account before changing all accounts.
>
> Does any system use the password in RDB or only LDAP? If only LDAP, you
> can modify all passwords. If other system use the password, you must
> have one password in LDAP format ({CRYPT} no base64) and one password
> for the other applications (no {CRYPT} and base64). Or you must find a
> way for the RDB to present a different password to LDAP and to the other
> application (for example, depending on the IP address of the client
> asking for the password).
>
> Best regards,
>
> Olivier
>
> >
> > When i give original password,certification process returns invalid credential,
> > but when i give DES hashed text which is same value of the RRD,certification succeed as you wrote.
> >
> >
> > However,I'd like slapd/ldasearch to change input password to same value in the RDB instead of typing by myslf because,I can read the RDB directory but others can't.
> >
> >
> >
> > I've confirmed my crypt can hash the text into same value of text in theRDB.
> >
> > Any idea?
> >
> > in message "Re: How to make ldap evaluate clear text password vs DES stored password",
> > Olivier <Olivier.Nicole@cs.ait.ac.th> wrote:
> >> Hi,
> >>
> >> >LDAP’s userPassowrd stored in the RDB has been already DES hashed by
> >> >original app. On the other hand, input password from ldapseach command
> >> >line is CREARTEXT.
> >> >
> >> >I’d like to change certification process of LDAP source file to make input
> >> >password into DES hashed by using 2 characters of userPassword as its
> >> >SALT.
> >>
> >> That is how LDAP works if it knows that your passwrd is DES.
> >>
> >> But the encoding for DES by LDAP may be slightly different from the
> >> encoding for DES by your original app.
> >>
> >> For a DES encrypted password, LDAP expects to see:
> >> userpassword: {CRYPT}6FgwLHWxQzlgA
> >> where 6F is the salt (LDAP knows that the 6F is the salt)
> >>
> >> So if your RDB only contains 6FgwLHWxQzlgA, you may have to modify that.
> >>
> >> Or I did not understood your question.
> >>
> >> Best regards,
> >>
> >> Olivier
> >
> >
> >
>
> --