It makes sense.Thanks.
I'll try your method next week and will report its result.
in message "Re: How to make ldap evaluate clear text password vs DES stored password", Olivier Olivier.Nicole@cs.ait.ac.th wrote:
yokoyamy@jacic.or.jp writes:
Hi.thanks for your advice.
My cas is a bit complicated.
DES hashed text stored in my RDB is actually cleartext for the RDB itself.
slapd/ldapsearch show it as cleare text with base64 .
If your RDB is storing a DES password compatible for LDAP, it must store a character sting of the form "{CRYPT}F6ojc88jnbdc".
The {CRYPT} part is telling LDAP that the string is a DES password. If there is no {CRYPT} part, LDAP assumes that the string is a cleartext password (this is confirmed by what you say below, you can connect if you type the base64/DES text).
So you should:
- take whatever password text that is currently stored in RDB
- remove base64
- append {CRYPT} at the begining
- store that back in RDB
The RDB will now be storing a DES password that LDAP can use.
I suggest that you test with one account before changing all accounts.
Does any system use the password in RDB or only LDAP? If only LDAP, you can modify all passwords. If other system use the password, you must have one password in LDAP format ({CRYPT} no base64) and one password for the other applications (no {CRYPT} and base64). Or you must find a way for the RDB to present a different password to LDAP and to the other application (for example, depending on the IP address of the client asking for the password).
Best regards,
Olivier
When i give original password,certification process returns invalid credential, but when i give DES hashed text which is same value of the RRD,certification succeed as you wrote.
However,I'd like slapd/ldasearch to change input password to same value in the RDB instead of typing by myslf because,I can read the RDB directory but others can't.
I've confirmed my crypt can hash the text into same value of text in theRDB.
Any idea?
in message "Re: How to make ldap evaluate clear text password vs DES stored password", Olivier Olivier.Nicole@cs.ait.ac.th wrote:
Hi,
LDAP’s userPassowrd stored in the RDB has been already DES hashed by original app. On the other hand, input password from ldapseach command line is CREARTEXT.
I’d like to change certification process of LDAP source file to make input password into DES hashed by using 2 characters of userPassword as its SALT.
That is how LDAP works if it knows that your passwrd is DES.
But the encoding for DES by LDAP may be slightly different from the encoding for DES by your original app.
For a DES encrypted password, LDAP expects to see: userpassword: {CRYPT}6FgwLHWxQzlgA where 6F is the salt (LDAP knows that the 6F is the salt)
So if your RDB only contains 6FgwLHWxQzlgA, you may have to modify that.
Or I did not understood your question.
Best regards,
Olivier
--