I have an OpenLDAP 2.4.23 server up and running in a Linux box L against which I can carry out password authentication on behalf of users logging into an embedded system E. To accomplish this, in L I have an LDIF file with entries along the following lines:
dn: uid=xxx,ou=yyy,dc=zzz,dc=com
uid: xxx
cn: xxx
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: ThisIsthePassword
shadowLastChange: 14014
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1003
gidNumber: 1003
homeDirectory: /home/xxx
gecos: ,,,
I would like to change this so that, when sending password information from my LDAP client in E to the LDAP server in L, the password itself is never sent in the clear. So I thought to change the value of the userPassword attribute to read
{SHA}3DRF4FXpG8r+Ki8i8azuZh7KwO8=
instead, where the string above was obtained by means of
slappasswd -v -s ThisIsthePassword -h "{SHA}"
in L.
After restarting the LDAP server in L, when user xxx logs into E with password "ThisIsthePassword" I can verify in the traces of the LDAP server (I am running it as slapd -d 255) that the client in E is sending the "3DRF4FXpG8r+Ki8i8azuZh7KwO8=" string, exactly as specified in the value of the userPassword attribute. However, the authentication is failing.
What is it exactly that the LDAP client in L is supposed to be sending to the LDAP server in this case? I noticed that if the client sends the actual "ThisIsthePassword" string instead the authentication also fails. I am obviously missing something here but, what is it?