[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: why '{SSHA}***' method is "Invalid credentials (49)"?

Because possibility to use hashed passwords value for user
authentication is very big security risk.

You can maybe read userpassword atributes for all OpenLDAP users  (if
ACL are defined incorrectly) and after that perform any operation as any
"legal" authenticated user.

As solution for this problem OpenLDAP (or any other system) must accept
only cleartext password.  


Andris Eiduks

System security specialist
TietoEnator  SIA
Banking & Insurance

-----Original Message-----
.org] On Behalf Of Buchan Milne
Sent: Wednesday, April 04, 2007 12:19 PM
To: openldap-software@openldap.org
Cc: Rocky Zhou
Subject: Re: why '{SSHA}***' method is "Invalid credentials (49)"?

On Tuesday 03 April 2007, Rocky Zhou wrote:
> Now I'm making the openldap and Kerberos working together, I have a 
> question about the password the ldap used. The configuration file 
> /usr/local/etc/openldap/slapd.conf has these lines:
> # rootpw                secret
> rootpw          {SSHA}n+R5iqJRHTiaosqPJVx03NF+bIStW6pQ
> while the second line is generated by slappasswd, I tried to use: sh$ 
> ldapadd -x -h localhost -D "cn=ldapadmin,dc=shoepx,dc=org" -f 
> passwd.ldif -w '{SSHA}n+R5iqJRHTiaosqPJVx03NF+bIStW6pQ'
> to import accounts info into the database, but it reports:
> ldap_bind: Invalid credentials (49)
> If I use:
> rootpw                secret
> sh$ ldapadd -x -h localhost -D "cn=ldapadmin,dc=shoepx,dc=org" -f 
> passwd.ldif -w 'secret', it works.
> So why does the '{SSHA}' method failed?

Because a hashes are one-way.

It would be pointless if you could use the hash as a clear-text

If you want strong authentication, don't use simple binds (thus, you
need to 
end up removing rootpw).


Buchan Milne
ISP Systems Specialist - Monitoring/Authentication Team Leader