Matthias Apitz wrote:
We are authenticating from some Java written software against an OpenLDAP system by reading the users 'userPassword' LDAP attribute, calculating the clear text password against the SSHA hash string.
Are you sure you want to do that? You should rather send a simple bind request to the server to let slapd check the password.
+ Then you can disallow read access to 'userPassword' to protect the password hashes against application hacks. + You can use stronger password hashing schemes supported by slapd nowadays. + slapd can enforce a password policy.
which decodes to:
$ echo 'e3NzaGF9R2tSOU91SGhOakFoZzBWeVNtY0JHRUE5b2NMVU5GZWZnY0VaMXc9PQ==' | openssl base64 -d {ssha}GkR9OuHhNjAhg0VySmcBGEA9ocLUNFefgcEZ1w==
i.e. with SSHA in small letters. It's only 1 of thousand users having the tag as '{ssha}'.
The scheme string is case-insensitive. Your application has to deal with that if you insist on doing it this wrong way.
https://tools.ietf.org/html/draft-stroeder-hashed-userpassword-values-01#sec...
Ciao, Michael.