Re: How to make ldap evaluate clear text password vs DES stored password

[yokoyamy@jacic.or.jp]

Thanks.

My CentOS can make cleartext into DES .

hete is a part of my previous slapd.conf

 olcPasswordHash: {CRYPT} 
olcSizeLimit: 5000 
olcPasswordCryptSaltFormat: "_%s"

unfortunately,it didn't work for my issue.

i think my  slapd uses DES when i try to store new userPasword.

However,in this case,i've already have DES hashed userrPassword and been trying to match it 
with input password from ldapsearch command.

i think unless i fetch userPasdword from RDB through slapd,
i will not be able to find SALT in userPassword.

how can i tell slapd that SALT for DES will be the first two letters in stored userPassword?




in message "Re: How to make ldap evaluate clear text password vs DES stored password",
Dan White <dwhite@cafedemocracy.org> wrote:
> On 09/20/18?08:43?+0900, yokoyamy@jacic.or.jp wrote:
> >LDAP’s userPassowrd stored in the RDB has been already DES hashed by
> >original app. On the other hand, input password from ldapseach command
> >line is CREARTEXT.
>  
> >I’d like to change certification process of LDAP source file to make input
> >password into DES hashed by using 2 characters of userPassword as its
> >SALT.
>  
> >I've already known that 2 characters at the beginning of userPasswordwas
> >used as its SALT when it was hashed.
>  
> >So the fact is ,my slapd can read userPassword from the RDB. I think I'll
> >be able to find out what will be SALT to make input password into DES
> >hashed text.
> 
> If the hashed/encrypted password is supported by your local crypt(3)
> library, you can prepend the userPassword value with {CRYPT} as specified
> in slapd-config(5) and section 14.4.2 of the Admin Guide.
> 
> Else, if you have a pam module which supports authentication of your hash,
> take a look at Pass-Through authentication (section 14.5).