[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#9137) slappasswd generate wrong SSHA from file
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#9137) slappasswd generate wrong SSHA from file
- From: hyc@symas.com
- Date: Thu, 12 Dec 2019 13:02:58 +0000
- Auto-submitted: auto-generated (OpenLDAP-ITS)
antoine.tran@thales-services.fr wrote:
> Full_Name: Antoine TRAN
> Version: openldap-servers-2.4.44-21.el7_6.x86_64
> OS: CentOS Linux release 7.7.1908 (Core)
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (213.190.88.94)
>
>
> I use slappasswd to generate SSHA password. The issue is it behavior is
> different whether I submit the password - in stdin or in command-line '-s' - and
> from a secret file '-T'. Command:
> slappasswd -h {SSHA}
> => write 'd' twice as password
> slappasswd -h {SSHA} -s d
>
> provides working SSHA.
>
> But:
> echo d >/run/secrets/rootpw
> slappasswd -h {SSHA} -T /run/secrets/rootpw
> provides a valid SSHA, but that does not match the password.
>
> My multiple test are done by replacing rootpw in /etc/openldap/slapd.conf,
> regenerating with:
> systemctl stop slapd
> sed -i -e "s,rootpw .*\$,rootpw ${ROOTPW_HASH},g" /etc/openldap/slapd.conf
> slapcat -n 0 -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
> systemctl start slapd
> ldapsearch -D "${ROOTDN}" -w "${ROOTPW}"
>
> The content of the secret file can be "d" or "d\n", it does not make a
> difference. Also, if I change the schema from SSHA to just a fixed salt, the
> '-T' seems to work as expected:
> (a) slappasswd -c 123
> => write d twice
> (b) slappasswd -c 123 -s 123
> (c) slappasswd -c 123 -T /run/secrets/rootpw
>
> (a), (b) and (c) gives the exact same hash. But I cannot put a fixed salt and
> use SSHA, slappasswd prevents me from that, with an error schema already
> provided.
Unable to reproduce, SSHA works fine here.
Obviously you can't use a fixed salt with SSHA, that's the point of its salt is to
be random and different every time.
When using a password in a file you must ensure the trailing '\n' is omitted. This
is already documented in the manpage.
>
> I saw the same issue in another openldap mail:
> https://www.openldap.org/lists/openldap-software/200805/msg00060.html but no
> answer.
>
>
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/