Hello All,
I'm using openldap-ltb-2.4.44-2 Using password-hash {SSHA512}
We have an in-house portal which allows people to change their passwords. It is written in PHP.
version = php 5.6 lib = php-ldap $entry['userpassword'] = $newpasswd; ldap_modify($conn, $userdn, $entry);
$newpasswd contains new password in plain text.
It seems that the server does not encrypt the plain text string sent to it from the portal, it only encodes it in base64.
When an encrypted string is sent (SSHA512), the server rejects based on password policy since no special character is present.
We would want to make the first method to work. Can somebody help me with this?
ps: ldappasswd command works perfectly and the password gets encrypted in SSHA512 and encoded in base64.
Best Regards, Raja.
OpenLDAP's slapd daemon only hashes passwords that are managed with the "LDAP Password Modify Extended Operation" in which the password arrives to the server in cleartext. Passwords are not changed over the normal LDAP modify operation, they are written verbatim - of course you can't send a SHA hash to the server and expect that it complies with password policy. What do you think, that slapd is able to automagically decrypt your hashes in real-time in order to perform policy checks?
-mike
On Wed, Nov 29, 2017 at 8:08 AM, Raja T Nair rtnair@gmail.com wrote:
Hello All,
I'm using openldap-ltb-2.4.44-2 Using password-hash {SSHA512}
We have an in-house portal which allows people to change their passwords. It is written in PHP.
version = php 5.6 lib = php-ldap $entry['userpassword'] = $newpasswd; ldap_modify($conn, $userdn, $entry);
$newpasswd contains new password in plain text.
It seems that the server does not encrypt the plain text string sent to it from the portal, it only encodes it in base64.
When an encrypted string is sent (SSHA512), the server rejects based on password policy since no special character is present.
We would want to make the first method to work. Can somebody help me with this?
ps: ldappasswd command works perfectly and the password gets encrypted in SSHA512 and encoded in base64.
Best Regards, Raja.
-- :^)
On 2017-11-29 5:08 PM, Raja T Nair wrote:
Hello All,
I'm using openldap-ltb-2.4.44-2 Using password-hash {SSHA512}
We have an in-house portal which allows people to change their passwords. It is written in PHP.
version = php 5.6 lib = php-ldap $entry['userpassword'] = $newpasswd; ldap_modify($conn, $userdn, $entry);
$newpasswd contains new password in plain text.
It seems that the server does not encrypt the plain text string sent to it from the portal, it only encodes it in base64.
When an encrypted string is sent (SSHA512), the server rejects based on password policy since no special character is present.
We would want to make the first method to work. Can somebody help me with this?
ps: ldappasswd command works perfectly and the password gets encrypted in SSHA512 and encoded in base64.
Best Regards, Raja.
-- :^)
You need to also write the code which salts and hashes the password according to your elected scheme before writing it to the database.
Le 29/11/2017 à 08:38, Geoff Swan a écrit :
On 2017-11-29 5:08 PM, Raja T Nair wrote:
Hello All,
I'm using openldap-ltb-2.4.44-2 Using password-hash {SSHA512}
We have an in-house portal which allows people to change their passwords. It is written in PHP.
version = php 5.6 lib = php-ldap $entry['userpassword'] = $newpasswd; ldap_modify($conn, $userdn, $entry);
$newpasswd contains new password in plain text.
It seems that the server does not encrypt the plain text string sent to it from the portal, it only encodes it in base64.
When an encrypted string is sent (SSHA512), the server rejects based on password policy since no special character is present.
We would want to make the first method to work. Can somebody help me with this?
ps: ldappasswd command works perfectly and the password gets encrypted in SSHA512 and encoded in base64.
You need to also write the code which salts and hashes the password according to your elected scheme before writing it to the database.
Hello,
I think that ppolicy is not supposed to try to analyze a password that is prefixed by a hash indicator... that is kinda weird.
The support for LDAP EXOP (especially "LDAP Password Modify Extended Operation") has been merged to PHP 7.2, but did not exist before, so you will not be able to use it until then, so you are stuck with the hash-before-modify method.
I suggest, if you did not already, that you take a look at the https://ltb-project.org/documentation/self-service-password project, that is also PHP-based, has plan to support exops when they will be available in PHP, so you might either inspire yourself from its code or switch to using it :) (Also, one of its main developers, Clément Oudot, lurks on this mailing list so you might get useful advice from him).
We actually do use SSP here with SSHA512 support AND ppolicy and it works flawlessly.
openldap-technical@openldap.org
-
Geoff Swan -
Matthieu Cerda -
MJ J -
Raja T Nair