I have an OpenLDAP 2.4.23 server up and running in a Linux box L against which I can carry out password authentication on behalf of users logging into an embedded system E. To accomplish this, in LI have an LDIF file with entries along the following lines:
dn: uid=xxx,ou=yyy,dc=zzz,dc=com uid: xxx cn: xxx objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword: ThisIsthePassword shadowLastChange: 14014 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 1003 gidNumber: 1003 homeDirectory: /home/xxx gecos: ,,,
I would like to change this so that, when sending password information from my LDAP client in E to the LDAP server in L, the password itself is never sent in the clear. So I thought to change the value of the userPassword attribute to read
{SHA}3DRF4FXpG8r+Ki8i8azuZh7KwO8=
instead, where the string above was obtained by means of
slappasswd -v -s ThisIsthePassword -h "{SHA}"
in L.
After restarting the LDAP server in L, when user xxx logs into E with password "ThisIsthePassword" I can verify in the traces of the LDAP server (I am running it as slapd -d 255) that the client in E is sending the "3DRF4FXpG8r+Ki8i8azuZh7KwO8=" string, exactly as specified in the value of the userPassword attribute. However, the authentication is failing.
What is it exactly that the LDAP client in L is supposed to be sending to the LDAP server in this case? I noticed that if the client sends the actual "ThisIsthePassword" string instead the authentication also fails. I am obviously missing something here but, what is it?