[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: SSHA hash are stores as '{ssha}......' and '{SSHA}......'
- To: Matthias Apitz <guru@unixarea.de>, openldap-technical@openldap.org
- Subject: Re: SSHA hash are stores as '{ssha}......' and '{SSHA}......'
- From: Howard Chu <hyc@symas.com>
- Date: Tue, 29 Sep 2015 08:22:36 +0100
- In-reply-to: <20150929070347.GA2734@c720-r276659>
- References: <20150929070347.GA2734@c720-r276659>
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:44.0) Gecko/20100101 Firefox/44.0 SeaMonkey/2.41a1
Matthias Apitz wrote:
Hello,
We are authenticating from some Java written software against an
OpenLDAP system by reading the users 'userPassword' LDAP attribute,
calculating the clear text password against the SSHA hash string.
That's the wrong way to authenticate against credentials stored in an LDAP
directory. You should just do an LDAP Bind.
It turned out that some (a few number) of these hash are stored in the
form:
userPassword:: e3NzaGF9R2tSOU91SGhOakFoZzBWeVNtY0JHRUE5b2NMVU5GZWZnY0VaMXc9PQ==
which decodes to:
$ echo 'e3NzaGF9R2tSOU91SGhOakFoZzBWeVNtY0JHRUE5b2NMVU5GZWZnY0VaMXc9PQ==' | openssl base64 -d
{ssha}GkR9OuHhNjAhg0VySmcBGEA9ocLUNFefgcEZ1w==
i.e. with SSHA in small letters. It's only 1 of thousand users having
the tag as '{ssha}'.
Why is this?
Probably you have some clients updating their entries with hashed passwords
instead of letting slapd do all the hashing. Again, that is not a good practice.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/