Hello,

I want to understand how to retrieve the 'salt' which was used by the LDAP server to hash a user's password with seeded sha1, i.e. SSHA;

when I do a ldapsearch from the UNIX cmd line I get the attribute as:

$ ldapsearch -h 10.45.xx.xx -p 389 -x -D ... 'cn=jrXXXXX' ... dn: cn=jrXXXXX,ou=user,ou=.... userPassword:: e1NTSEF9TWd3ZmtxQ25HdTJYVXZtVzNzTm5yWjlwVjBUSmwvQ0Q= ...

the above string I can decode with:

$ echo -n 'e1NTSEF9TWd3ZmtxQ25HdTJYVXZtVzNzTm5yWjlwVjBUSmwvQ0Q=' | mmencode -u {SSHA}MgwfkqCnGu2XUvmW3sNnrZ9pV0TJl/CD

but now I'm lost how to retrieve the 'salt' from it :-(

I have google'd around and see examples for this like in

http://www.pressinganswer.com/444023/how-can-i-retrieve-a-salt-from-ldap

<CITED ON> With SSHA, normally the salt is appended to the SHA1 hash and then the whole thing is Base64 encoded (I've never seen an LDAP that didn't do SSHA this way). You should be able to tell this by looking at the userPassword attribute. If it's 28 character long with a = at the end, it's only the hash.

If the Base64 value is 32 character long or greater, it contains both the hash and the salt. Base64 decode the value and strip off the first 20 bytes, this is the SHA1 hash. The remaining bytes are the salt.

Example:

Base64 encoded hash with salt userPassword: {SSHA}MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0

Base64 decoded value SHA1 Hash Salt --------------------++++ 123456789012345678901234 <CITED OFF>

I can repeat the given example with:

$ echo -n 'MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0' | mmencode -u 123456789012345678901234

but when I run the original string through decode, I get only binary nonsense from:

echo -n 'MgwfkqCnGu2XUvmW3sNnrZ9pV0TJl/CD' | mmencode -u 2  §íRùÞÃg­ð

What I do wrong or what I'm missing here?

The used 'mmencode' is on FreeBSD 10-CURRENT from a pkg:

$ pkg_info -W /usr/local/bin/mmencode /usr/local/bin/mmencode was installed by package metamail-2.7_9

if this does any matter.

Thanks

matthias