[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Antw: Passwords, Hashing, and Binds

To: Ulrich Windl <Ulrich.Windl@rz.uni-regensburg.de>, Bram Cymet <bcymet@cbnco.com>, "openldap-technical@OpenLDAP.org" <openldap-technical@openldap.org>
Subject: Re: Antw: Passwords, Hashing, and Binds
From: Quanah Gibson-Mount <quanah@zimbra.com>
Date: Fri, 29 Aug 2014 00:15:23 -0700
Content-disposition: inline
Dkim-filter: OpenDKIM Filter v2.9.2 edge01.zimbra.com AFFDE4421E
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zimbra.com; s=C2AA288C-EE47-11E2-9BB0-E820BDD9BDBF; t=1409296540; bh=ZP58D3wwA2zbNzpQR7bw/2m2X6J9Mp4Mrrodv7OVIdQ=; h=Date:From:To:Subject:Message-ID:MIME-Version:Content-Type: Content-Transfer-Encoding; b=UZpZ7MsC5zH79z81BNwkxC/ZjxAedDzbKT9vuS30gueVyetgP1kL/aUoPDnExDDzo IwWQSGpvYT5SWKrDpdJKAFe/38ktVPmmvEDlyi90SmDcoZiI+TWTYcnlQQ/rOtWgP9 0sAr1jnWiuWaMzGdpvuB/PgQMn73MH35OtHuSEqo=
In-reply-to: <54004010020000A100016D16@gwsmtp1.uni-regensburg.de>
References: <53FF9080.1050209@cbnco.com> <54004010020000A100016D16@gwsmtp1.uni-regensburg.de>

--On Friday, August 29, 2014 9:55 AM +0200 Ulrich Windl<Ulrich.Windl@rz.uni-regensburg.de> wrote:

Bram Cymet <bcymet@cbnco.com> schrieb am 28.08.2014 um 22:26 in
Nachricht

<53FF9080.1050209@cbnco.com>:

Hi,

I am storing users passwords in a userPassword attribute. When the
passwords are hashed with MD5 I can bind as the user just fine. If I
hash the password with sha-256 I get invalid credentials.


I wonder: My slappasswd only knows about {SHA} and {SSHA}, {MD5} and
{SMD5}, {CRYPT}, and {CLEARTEXT}. Section 14.4 of the manual indicates
that hashed passwords are non-standard anyway. So implement the
non-standard on your clients.

It takes 5 seconds to look in the contrib directory shipped with the sourceand find:


SHA-2 OpenLDAP support
----------------------

slapd-sha2.c provides support for SSHA-512, SSHA-384, SSHA-256,
SHA-512, SHA-384 and SHA-256 hashed passwords in OpenLDAP. For
instance, one could have the LDAP attribute:

userPassword:{SHA512}vSsar3708Jvp9Szi2NWZZ02Bqp1qRCFpbcTZPdBhnWgs5WtNZKnvCXdhztmeD2cmW192CF5bDufKRpayrW/isg==

or:

userPassword:{SHA384}WKd1ukESvjAFrkQHznV9iP2nHUBJe7gCbsrFTU4//HIyzo3jq1rLMK45dg/ufFPt


or:

userPassword: {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=

all of which encode the password 'secret'.

(etc). As I already stated, there's a module for this. I use it on mysystems to add SSHA512 suport.


--Quanah



--

Quanah Gibson-Mount
Server Architect
Zimbra, Inc.
--------------------
Zimbra ::  the leader in open source messaging and collaboration

References:
- Passwords, Hashing, and Binds
  - From: Bram Cymet <bcymet@cbnco.com>
- Antw: Passwords, Hashing, and Binds
  - From: "Ulrich Windl" <Ulrich.Windl@rz.uni-regensburg.de>

Prev by Date: Re: Antw: Passwords, Hashing, and Binds
Next by Date: LMDB write/read simultaneously over different threads
Index(es):
- Chronological
- Thread