Le 29/11/2017 à 08:38, Geoff Swan a écrit :

On 2017-11-29 5:08 PM, Raja T Nair wrote:

Hello All,

I'm using openldap-ltb-2.4.44-2

Using password-hash {SSHA512}

We have an in-house portal which allows people to change their passwords.

It is written in PHP.

version = php 5.6
lib = php-ldap
$entry['userpassword'] = $newpasswd;

ldap_modify($conn, $userdn, $entry);

$newpasswd contains new password in plain text.

It seems that the server does not encrypt the plain text string sent to it from the portal, it only encodes it in base64.

When an encrypted string is sent (SSHA512), the server rejects based on password policy since no special character is present.

We would want to make the first method to work. Can somebody help me with this?

ps: ldappasswd command works perfectly and the password gets encrypted in SSHA512 and encoded in base64.

You need to also write the code which salts and hashes the password according to your elected scheme before writing it to the database.

Hello,

I think that ppolicy is not supposed to try to analyze a password that is prefixed by a hash indicator... that is kinda weird.

The support for LDAP EXOP (especially "LDAP Password Modify Extended Operation") has been merged to PHP 7.2, but did not exist before, so you will not be able to use it until then, so you are stuck with the hash-before-modify method.

I suggest, if you did not already, that you take a look at the https://ltb-project.org/documentation/self-service-password project, that is also PHP-based, has plan to support exops when they will be available in PHP, so you might either inspire yourself from its code or switch to using it :) (Also, one of its main developers, Clément Oudot, lurks on this mailing list so you might get useful advice from him).

We actually do use SSP here with SSHA512 support AND ppolicy and it works flawlessly.

-- 
Matthieu Cerda
Infrastructure, BU Means @ NBS System