[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: How to make ldap evaluate clear text password vs DES stored password

To: Olivier.Nicole@cs.ait.ac.th
Subject: Re: How to make ldap evaluate clear text password vs DES stored password
From: yokoyamy@jacic.or.jp
Date: Fri, 21 Sep 2018 18:05:01 +0900
Cc: openldap-technical@openldap.org, dwhite@cafedemocracy.org, yokoyamy@jacic.or.jp
In-reply-to: <wu7sh23p837.fsf@banyan.cs.ait.ac.th>
References: <wu7sh23p837.fsf@banyan.cs.ait.ac.th>

It makes sense.Thanks.

I'll try your method next week 
and will report its result.


in message "Re: How to make ldap evaluate clear text password vs DES stored password",
Olivier <Olivier.Nicole@cs.ait.ac.th> wrote:
> yokoyamy@jacic.or.jp writes:
> 
> > Hi.thanks for your advice.
> >
> > My cas is a bit complicated.
> >
> > DES hashed text stored in my RDB is actually cleartext for the RDB itself.
> >
> > slapd/ldapsearch show it as cleare text with base64 .
> 
> If your RDB is storing a DES password compatible for LDAP, it must store
> a character sting of the form "{CRYPT}F6ojc88jnbdc".
> 
> The {CRYPT} part is telling LDAP that the string is a DES password. If
> there is no {CRYPT} part, LDAP assumes that the string is a cleartext
> password (this is confirmed by what you say below, you can connect if
> you type the base64/DES text).
> 
> So you should:
> 
> - take whatever password text that is currently stored in RDB
> - remove base64
> - append {CRYPT} at the begining
> - store that back in RDB
> 
> The RDB will now be storing a DES password that LDAP can use.
> 
> I suggest that you test with one account before changing all accounts.
> 
> Does any system use the password in RDB or only LDAP? If only LDAP, you
> can modify all passwords. If other system use the password, you must
> have one password in LDAP format ({CRYPT} no base64) and one password
> for the other applications (no {CRYPT} and base64). Or you must find a
> way for the RDB to present a different password to LDAP and to the other
> application (for example, depending on the IP address of the client
> asking for the password).
> 
> Best regards,
> 
> Olivier
> 
> >
> > When i give original password,certification process returns invalid credential,
> > but when i give DES hashed text which is same value of the RRD,certification succeed as you wrote.
> >
> >
> > However,I'd like slapd/ldasearch to change input password to same value in the RDB instead of typing by myslf because,I can read the RDB directory but others can't.
> >
> >
> >
> > I've confirmed my crypt can hash the text into same value of text in theRDB.
> >
> > Any idea?
> >
> > in message "Re: How to make ldap evaluate clear text password vs DES stored password",
> > Olivier <Olivier.Nicole@cs.ait.ac.th> wrote:
> >> Hi,
> >> 
> >> >LDAP’s userPassowrd stored in the RDB has been already DES hashed by
> >> >original app. On the other hand, input password from ldapseach command
> >> >line is CREARTEXT.
> >> >  
> >> >I’d like to change certification process of LDAP source file to make input
> >> >password into DES hashed by using 2 characters of userPassword as its
> >> >SALT.
> >> 
> >> That is how LDAP works if it knows that your passwrd is DES.
> >> 
> >> But the encoding for DES by LDAP may be slightly different from the
> >> encoding for DES by your original app.
> >> 
> >> For a DES encrypted password, LDAP expects to see:
> >> userpassword: {CRYPT}6FgwLHWxQzlgA
> >> where 6F is the salt (LDAP knows that the 6F is the salt)
> >> 
> >> So if your RDB only contains 6FgwLHWxQzlgA, you may have to modify that.
> >> 
> >> Or I did not understood your question.
> >> 
> >> Best regards,
> >> 
> >> Olivier
> >
> >
> >
> 
> --

References:
- Re: How to make ldap evaluate clear text password vs DES stored password
  - From: Olivier <Olivier.Nicole@cs.ait.ac.th>

Prev by Date: Re: A couple of questions regarding replication and user mapping
Next by Date: Re: A couple of questions regarding replication and user mapping
Index(es):
- Chronological
- Thread