My reading the archives has lead me to believe that DIGEST-MD5 will require me to store passwords in cleartext. To evaluate the usefulness of this at my site (little point in storing them cleartext if nothing can use DIGEST-MD5) I have setup a test server, but the password keeps getting hashed
I have added password-hash {CLEARTEXT} to my slapd.conf (which gave me password-hash {CLEARTEXT},{SSHA},{SMD5},{CRYPT}). That didn't do it, so I went for just password-hash {CLEARTEXT}. That also keeps getting my passwords hashed.
Strangely they are not prefixed with the {HASHTYPE}.
When I run ldappasswd -H ldapi:/// -D "cn=testuser,dc=iwu,dc=edu" -w Please -x -s please
In LDAP I get
userPassword:: cGxlYXNl
I have the ppolicy overlay in place, but the behavior remains even when it is removed.
The password is changing, but a log level of -1 isn't showing me why this is getting hashed.
OpenLdap 2.4.7 on Debian Sid.
What did I do? Pat
--On February 5, 2008 1:14:35 PM -0600 Pat Riehecky prieheck@iwu.edu wrote:
Strangely they are not prefixed with the {HASHTYPE}.
When I run ldappasswd -H ldapi:/// -D "cn=testuser,dc=iwu,dc=edu" -w Please -x -s please
In LDAP I get
userPassword:: cGxlYXNl
What did I do?
You failed to understand the difference between hashes and encoding. userPassword is base-64 encoded. Decode it to see what the actual value is.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
Thank you!
I am an idiot..... (but a happy one!)
Pat
On Tue, 2008-02-05 at 12:08 -0800, Quanah Gibson-Mount wrote:
--On February 5, 2008 1:14:35 PM -0600 Pat Riehecky prieheck@iwu.edu wrote:
Strangely they are not prefixed with the {HASHTYPE}.
When I run ldappasswd -H ldapi:/// -D "cn=testuser,dc=iwu,dc=edu" -w Please -x -s please
In LDAP I get
userPassword:: cGxlYXNl
What did I do?
You failed to understand the difference between hashes and encoding. userPassword is base-64 encoded. Decode it to see what the actual value is.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc
Zimbra :: the leader in open source messaging and collaboration
I thought the field was only base64 encoded if it had offending characters such as a space, or something not LDIF compliant?
E.G. you could see an entry that says {crypt}AFDA12321de323
Sellers
On Feb 5, 2008, at 3:08 PM, Quanah Gibson-Mount wrote:
--On February 5, 2008 1:14:35 PM -0600 Pat Riehecky prieheck@iwu.edu wrote:
Strangely they are not prefixed with the {HASHTYPE}.
When I run ldappasswd -H ldapi:/// -D "cn=testuser,dc=iwu,dc=edu" -w Please -x -s please
In LDAP I get
userPassword:: cGxlYXNl
What did I do?
You failed to understand the difference between hashes and encoding. userPassword is base-64 encoded. Decode it to see what the actual value is.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc
Zimbra :: the leader in open source messaging and collaboration
______________________________________________ Chris G. Sellers | NITLE - Technology Team 734.661.2318 | chris.sellers@nitle.org AIM: imthewherd | GoogleTalk: cgseller@gmail.com
It depends on the definition of the field. userPassword is always base64 encoded.
--Quanah
--On February 6, 2008 2:15:21 PM -0500 "Chris G. Sellers" chris.sellers@nitle.org wrote:
I thought the field was only base64 encoded if it had offending characters such as a space, or something not LDIF compliant?
E.G. you could see an entry that says {crypt}AFDA12321de323
Sellers
On Feb 5, 2008, at 3:08 PM, Quanah Gibson-Mount wrote:
--On February 5, 2008 1:14:35 PM -0600 Pat Riehecky prieheck@iwu.edu wrote:
Strangely they are not prefixed with the {HASHTYPE}.
When I run
ldappasswd -H ldapi:/// -D "cn=testuser,dc=iwu,dc=edu" -w Please -x -s
please
In LDAP I get
userPassword:: cGxlYXNl
What did I do?
You failed to understand the difference between hashes and encoding. userPassword is base-64 encoded. Decode it to see what the actual value is.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc
Zimbra :: the leader in open source messaging and collaboration
Chris G. Sellers | NITLE - Technology Team 734.661.2318 | chris.sellers@nitle.org AIM: imthewherd | GoogleTalk: cgseller@gmail.com
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
On Tuesday 05 February 2008 14:14:35 Pat Riehecky imposed structure on a stream of electrons, yielding:
My reading the archives has lead me to believe that DIGEST-MD5 will require me to store passwords in cleartext. To evaluate the usefulness of this at my site (little point in storing them cleartext if nothing can use DIGEST-MD5) I have setup a test server, but the password keeps getting hashed
I have added password-hash {CLEARTEXT} to my slapd.conf (which gave me password-hash {CLEARTEXT},{SSHA},{SMD5},{CRYPT}). That didn't do it, so I went for just password-hash {CLEARTEXT}. That also keeps getting my passwords hashed.
Strangely they are not prefixed with the {HASHTYPE}.
When I run ldappasswd -H ldapi:/// -D "cn=testuser,dc=iwu,dc=edu" -w Please -x -s please
In LDAP I get
userPassword:: cGxlYXNl
Why do you think it's hashed? :
% echo cGxlYXNl | openssl base64 -d | cat please
It's cleartext, just base64 encoded.
Karsten.
openldap-software@openldap.org
-
Chris G. Sellers -
Karsten Künne -
Pat Riehecky -
Quanah Gibson-Mount