Hello,
I am writing a MD5-password to openldap:
cleartext: 654321 md5: c33367701511b4f6020ec61ded352059 hex2b64: wzNncBURtPYCDsYd7TUgWQ==
So in my call, I am setting
userPassword={MD5}wzNncBURtPYCDsYd7TUgWQ==
But when I retrieve the userPassword content later, I get this value:
e01ENX13ek5uY0JVUnRQWUNEc1lkN1RVZ1dRPT0=
What has openldap done to it? What do I have to do with the cleartext password to get the same value?
Kind regards Marten
On Wed, 9 Dec 2009, Marten Lehmann wrote:
userPassword={MD5}wzNncBURtPYCDsYd7TUgWQ==
But when I retrieve the userPassword content later, I get this value:
e01ENX13ek5uY0JVUnRQWUNEc1lkN1RVZ1dRPT0=
What has openldap done to it?
http://www.openldap.org/faq/data/cache/1346.html -- you seem to have at least some of the idea with your "hex2b64" line...actually, given your area of interest here, that whole FAQ section is probably a good read.
What do I have to do with the cleartext password to get the same value?
$ echo e01ENX13ek5uY0JVUnRQWUNEc1lkN1RVZ1dRPT0= | openssl enc -d -base64 {MD5}wzNncBURtPYCDsYd7TUgWQ==
looks like what you got out is the same as what you put in...hopefully that's a good thing? (I didn't check that you hashed it right, maybe what you said was a bad thing?)
userPassword={MD5}wzNncBURtPYCDsYd7TUgWQ==
But when I retrieve the userPassword content later, I get this value:
e01ENX13ek5uY0JVUnRQWUNEc1lkN1RVZ1dRPT0=
What you are seeing (with `ldapsearch`) is the Base64-encoded (security through obscurity :-) value.
$ echo 'e01ENX13ek5uY0JVUnRQWUNEc1lkN1RVZ1dRPT0=' | openssl enc -a -d {MD5}wzNncBURtPYCDsYd7TUgWQ==
What has openldap done to it?
Nothing.
What do I have to do with the cleartext password to get the same value?
Relax: you are getting the same value. :-)
-JP
Marten Lehmann wrote:
I am writing a MD5-password to openldap:
cleartext: 654321 md5: c33367701511b4f6020ec61ded352059 hex2b64: wzNncBURtPYCDsYd7TUgWQ==
So in my call, I am setting
userPassword={MD5}wzNncBURtPYCDsYd7TUgWQ==
But when I retrieve the userPassword content later, I get this value:
e01ENX13ek5uY0JVUnRQWUNEc1lkN1RVZ1dRPT0=
Please note that the same value can be presented differently by different software. So you should more precisely describe which tool you used. Probably the last value is just LDIF notation as
userPassword:: e01ENX13ek5uY0JVUnRQWUNEc1lkN1RVZ1dRPT0=
Read RFC 2849. :: indicates that the value is base64-encoded in the LDIF, not the directory data itself.
What has openldap done to it?
Probably nothing.
Ciao, Michael.
openldap-software@openldap.org
-
Aaron Richton -
Jan-Piet Mens -
Marten Lehmann -
Michael Ströder