[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Openldap-ldb-2.4.44-2 - Issu with Password Management

To: Raja T Nair <rtnair@gmail.com>
Subject: Re: Openldap-ldb-2.4.44-2 - Issu with Password Management
From: MJ J <mikedotjackson@gmail.com>
Date: Wed, 29 Nov 2017 09:21:37 +0200
Cc: Openldap Technical <openldap-technical@openldap.org>
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=28prMDIgcgqITj+FvHEDmagNVtseWJIdEGPPqq+JA/M=; b=nCVZn0lCcb88/lH4QFpvbREVkP0GNr/OhL2dKjgXhAj8CZLM652zhsX75if7PGRxzz x+y2WPpnd78WdGsSaGOi0BI87JnTfl6C7eC2SkD17dMCgndAIEa8OH3hmpVBi4fVRx3X KtJJ5BuVQWews6mxgygeOx6UJL63fHV1l99DntfCnXvh0WKVmUNYfnULwowmroXDxfCj h0QVXcXl5JCZStH7zKu7EeMkO9luFW8H16Uqv2TrihgZI9MFw+QDgYb0vpsU3EcvwhMc XrjCDtFDL5j8b25uIq2N5RcaoXGmz98IOax1rnF2eRZDz0Jd2HpO/7e5cWre0cEIsW9i Ag2Q==
In-reply-to: <CAE1RYC0YvYHqMJ10q-80iJ6-hgOAUeDBBNhrJ4NseWQLXpfaew@mail.gmail.com>
References: <CAE1RYC0YvYHqMJ10q-80iJ6-hgOAUeDBBNhrJ4NseWQLXpfaew@mail.gmail.com>

OpenLDAP's slapd daemon only hashes passwords that are managed with
the "LDAP Password Modify Extended Operation" in which the password
arrives to the server in cleartext. Passwords are not changed over the
normal LDAP modify operation, they are written verbatim - of course
you can't send a SHA hash to the server and expect that it complies
with password policy. What do you think, that slapd is able to
automagically decrypt your hashes in real-time in order to perform
policy checks?

-mike

On Wed, Nov 29, 2017 at 8:08 AM, Raja T Nair <rtnair@gmail.com> wrote:
> Hello All,
>
> I'm using openldap-ltb-2.4.44-2
> Using password-hash {SSHA512}
>
> We have an in-house portal which allows people to change their passwords.
> It is written in PHP.
>
> version = php 5.6
> lib = php-ldap
> $entry['userpassword'] = $newpasswd;
> ldap_modify($conn, $userdn, $entry);
>
> $newpasswd contains new password in plain text.
>
> It seems that the server does not encrypt the plain text string sent to it
> from the portal, it only encodes it in base64.
>
> When an encrypted string is sent (SSHA512), the server rejects based on
> password policy since no special character is present.
>
> We would want to make the first method to work. Can somebody help me with
> this?
>
> ps: ldappasswd command works perfectly and the password gets encrypted in
> SSHA512 and encoded in base64.
>
> Best Regards,
> Raja.
>
> --
> :^)

References:
- Openldap-ldb-2.4.44-2 - Issu with Password Management
  - From: Raja T Nair <rtnair@gmail.com>

Prev by Date: Openldap-ldb-2.4.44-2 - Issu with Password Management
Next by Date: Re: Openldap-ldb-2.4.44-2 - Issu with Password Management
Index(es):
- Chronological
- Thread