Matthias Apitz wrote:
Hello,
We are authenticating from some Java written software against an OpenLDAP system by reading the users 'userPassword' LDAP attribute, calculating the clear text password against the SSHA hash string.
That's the wrong way to authenticate against credentials stored in an LDAP directory. You should just do an LDAP Bind.
It turned out that some (a few number) of these hash are stored in the form:
userPassword:: e3NzaGF9R2tSOU91SGhOakFoZzBWeVNtY0JHRUE5b2NMVU5GZWZnY0VaMXc9PQ==
which decodes to:
$ echo 'e3NzaGF9R2tSOU91SGhOakFoZzBWeVNtY0JHRUE5b2NMVU5GZWZnY0VaMXc9PQ==' | openssl base64 -d {ssha}GkR9OuHhNjAhg0VySmcBGEA9ocLUNFefgcEZ1w==
i.e. with SSHA in small letters. It's only 1 of thousand users having the tag as '{ssha}'.
Why is this?
Probably you have some clients updating their entries with hashed passwords instead of letting slapd do all the hashing. Again, that is not a good practice.