[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#8023) slappasswd with sha2 overlay can generate hashes but not salted hashes
I do apologise for the confusion, I'll try to clarify below:
Here is the command you ran successfully:
/opt/zimbra/openldap/sbin/slappasswd -h
'{SSHA512}' -o module-path=/opt/zimbra/openldap/sbin/openldap -o
module-load=pw-sha2 -s test
{SSHA512}TSwAWmK3sv42RbAasugMPR8d7GLozXtKU00v5Jdd4ebmXBsOpt5We5HNkXxFfy5
Ptaoa/KUsmTV5484NA3UmrHrOpyUVnEh9
Here is an example of me running just a plain SHA512
slappasswd -h '{SHA512}' -o module-path=/usr/local/libexec/openldap -o
module-load=pw-sha2
{SHA512}7iaw3Ur350mqGo7jwQrpkj9hiYB3Lkc/iBml1JQODbJ6wYX4oOHV+E+IvIh/1nsUNzLDBMxfqa2Ob1f1ACio/w==
And here is an example of me running a salted SHA512 (SSHA512)
slappasswd -h '{SSHA512}' -o module-path=/usr/local/libexec/openldap -o
module-load=pw-sha2 -s test
Password verification failed.
I hope this helps to clarify.
On 2015-01-13 19:14, Quanah Gibson-Mount wrote:
> --On Tuesday, January 13, 2015 7:11 PM +0000 Jonathan Price
> <freebsd@jonathanprice.org> wrote:
>
>> Hi,
>>
>> From the original email:
>> However, if I replace {SHA512} with {SSHA512} it produces the following
>> output:
>> Password verification failed.
>
> You also were not clear *where* you did this replacement. It is
> certainly not valid to do this replacement on the generated hash, as the
> generated has was non-salted, and just adding another S in there will
> not magically make it salted. It is valid to do this replacement in the
> slappasswd line when generating a hash, as per my example, so that a
> salted hash is generated.
>
> --Quanah
>
>
>> It's interesting to see that it does work under certain conditions then.
>> It appears that your OpenLDAP installation is part of a Zimbra
>> installation. Does Zimbra make any modifications to OpenLDAP, or is it
>> just built on top of it?
>>
>> Either way, I think I'm going to try it on Debian, just to rule out it
>> being a FreeBSD issue, which it quite well could be at this point.
>>
>> On 2015-01-13 19:01, Quanah Gibson-Mount wrote:
>>> --On Tuesday, January 13, 2015 6:52 PM +0000 freebsd@jonathanprice.org
>>> wrote:
>>>
>>>> Full_Name: Jonathan Price
>>>> Version: 2.4.40
>>>> OS: FreeBSD 10.1
>>>> URL: ftp://ftp.openldap.org/incoming/
>>>> Submission from: (NULL) (80.47.105.54)
>>>>
>>>>
>>>> I have compiled version 2.4.40 with the SHA2 module enabled.
>>>>
>>>> I then run the slappasswd with the following arguments:
>>>> slappasswd -h '{SHA512}' -o module-path=/usr/local/libexec/openldap -o
>>>> module-load=pw-sha2
>>>
>>> You requested a non salted hash -> SHA512
>>>
>>> Did you try requesting a salted hash? -> SSHA512
>>>
>>> Works fine for me, and I've been using it in production for quite some
>>> time.
>>>
>>> [zimbra@zre-ldap003 ~]$ /opt/zimbra/openldap/sbin/slappasswd -h
>>> '{SSHA512}' -o module-path=/opt/zimbra/openldap/sbin/openldap -o
>>> module-load=pw-sha2 -s test
>>> {SSHA512}TSwAWmK3sv42RbAasugMPR8d7GLozXtKU00v5Jdd4ebmXBsOpt5We5HNkXxFfy5
>>> Ptaoa/KUsmTV5484NA3UmrHrOpyUVnEh9
>>>
>>>
>>>
>>> --Quanah
>>>
>>> --
>>>
>>> Quanah Gibson-Mount
>>> Platform Architect
>>> Zimbra, Inc.
>>> --------------------
>>> Zimbra :: the leader in open source messaging and collaboration
>
>
>
> --
>
> Quanah Gibson-Mount
> Platform Architect
> Zimbra, Inc.
> --------------------
> Zimbra :: the leader in open source messaging and collaboration