Matthias Apitz wrote:
> We are authenticating from some Java written software against an
> OpenLDAP system by reading the users 'userPassword' LDAP attribute,
> calculating the clear text password against the SSHA hash string.
Are you sure you want to do that? You should rather send a simple bind request
to the server to let slapd check the password.
+ Then you can disallow read access to 'userPassword' to protect the password
hashes against application hacks.
+ You can use stronger password hashing schemes supported by slapd nowadays.
+ slapd can enforce a password policy.
> which decodes to:
>
> $ echo 'e3NzaGF9R2tSOU91SGhOakFoZzBWeVNtY0JHRUE5b2NMVU5GZWZnY0VaMXc9PQ==' | openssl base64 -d
> {ssha}GkR9OuHhNjAhg0VySmcBGEA9ocLUNFefgcEZ1w==
>
> i.e. with SSHA in small letters. It's only 1 of thousand users having
> the tag as '{ssha}'.
The scheme string is case-insensitive. Your application has to deal with that
if you insist on doing it this wrong way.
https://tools.ietf.org/html/draft-stroeder-hashed-userpassword-values-01#section-2
Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature