El día Tuesday, September 29, 2015 a las 08:22:36AM +0100, Howard Chu escribió:
We are authenticating from some Java written software against an OpenLDAP system by reading the users 'userPassword' LDAP attribute, calculating the clear text password against the SSHA hash string.
That's the wrong way to authenticate against credentials stored in an LDAP directory. You should just do an LDAP Bind.
I do not know (the Java classes have beed written by others) why we do not just doe bind, What what is wrong with our method.
It turned out that some (a few number) of these hash are stored in the form:
userPassword:: e3NzaGF9R2tSOU91SGhOakFoZzBWeVNtY0JHRUE5b2NMVU5GZWZnY0VaMXc9PQ==
which decodes to:
$ echo 'e3NzaGF9R2tSOU91SGhOakFoZzBWeVNtY0JHRUE5b2NMVU5GZWZnY0VaMXc9PQ==' | openssl base64 -d {ssha}GkR9OuHhNjAhg0VySmcBGEA9ocLUNFefgcEZ1w==
i.e. with SSHA in small letters. It's only 1 of thousand users having the tag as '{ssha}'.
Why is this?
Probably you have some clients updating their entries with hashed passwords instead of letting slapd do all the hashing. Again, that is not a good practice.
This part is not below our control. The LDAP is managed by some customer and I *think* the use some Perl script to create the user credentials in LDAP, calculating tha SSHA hash in advance.
Thanks for your feedback in any case.
matthias
-- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/