HI
Can anybody help me with the next issue ?
ldapcompare -D "uid=testuser,ou=Users,dc=domain,dc=net" -w test "uid=testuser,ou=Users,dc=domain,dc=net" -v userPassword:test
ldap_initialize( <DEFAULT> )
DN:uid=testuser,ou=Users,dc=domain,dc=net, attr:userPassword, value:test
Compare Result: Compare False (5)
FALSE
BUT
ldapcompare -D "uid=testuser,ou=Users,dc=domain,dc=net" -w test "uid= testuser,ou=Users,dc=domain,dc=net" -v userPassword::e1NTSEF9L0NFMERQNTVtOU82T09HK1AzQVdNZG9nU2x6Z0FwTGw=
ldap_initialize( <DEFAULT> )
DN:uid= testuser,ou=Users,dc=domain,dc=net, attr:userPassword, value::e1NTSEF9L0NFMERQNTVtOU82T09HK1AzQVdNZG9nU2x6Z0FwTGw=
Compare Result: Compare True (6)
TRUE
I know that the problem is not with ldapcompare but I can't figure our where it is.
Thank You,
Szilard Gyorgy
Hi Szilard your PW is SSHA encoded:
base64 -d e1NTSEF9L0NFMERQNTVtOU82T09HK1AzQVdNZG9nU2x6Z0FwTGw= {SSHA}/CE0DP55m9O6OOG+P3AWMdogSlzgApLl
SSHA encode the value you wanna compare and then compare it.
suomi
On 02/15/2012 12:38 PM, Szilard Gyorgy wrote:
HI
Can anybody help me with the next issue ?
ldapcompare -D "uid=testuser,ou=Users,dc=domain,dc=net" -w test "uid=testuser,ou=Users,dc=domain,dc=net" -v userPassword:test
ldap_initialize( <DEFAULT> )
DN:uid=testuser,ou=Users,dc=domain,dc=net, attr:userPassword, value:test
Compare Result: Compare False (5)
*FALSE*
BUT
ldapcompare -D "uid=testuser,ou=Users,dc=domain,dc=net" -w test "uid= testuser,ou=Users,dc=domain,dc=net" -v userPassword::e1NTSEF9L0NFMERQNTVtOU82T09HK1AzQVdNZG9nU2x6Z0FwTGw=
ldap_initialize( <DEFAULT> )
DN:uid= testuser,ou=Users,dc=domain,dc=net, attr:userPassword, value::e1NTSEF9L0NFMERQNTVtOU82T09HK1AzQVdNZG9nU2x6Z0FwTGw=
Compare Result: Compare True (6)
*TRUE*
I know that the problem is not with ldapcompare but I can’t figure our where it is.
Thank You,
Szilard Gyorgy
HI Suomi
Yes, but I need all this for my Cisco router where I can't do any pre encryption - the password is sent for compaction in clear text so I need to make that compare to return true if the password is correct. Can I setup ldap to store the password in different format ?
Best, Szilard Gyorgy
-----Original Message----- From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of anax Sent: Wednesday, February 15, 2012 2:14 PM To: openldap-technical@openldap.org Subject: Re: authentification issue with clear text password
Hi Szilard your PW is SSHA encoded:
base64 -d e1NTSEF9L0NFMERQNTVtOU82T09HK1AzQVdNZG9nU2x6Z0FwTGw= {SSHA}/CE0DP55m9O6OOG+P3AWMdogSlzgApLl
SSHA encode the value you wanna compare and then compare it.
suomi
On 02/15/2012 12:38 PM, Szilard Gyorgy wrote:
HI
Can anybody help me with the next issue ?
ldapcompare -D "uid=testuser,ou=Users,dc=domain,dc=net" -w test "uid=testuser,ou=Users,dc=domain,dc=net" -v userPassword:test
ldap_initialize( <DEFAULT> )
DN:uid=testuser,ou=Users,dc=domain,dc=net, attr:userPassword, value:test
Compare Result: Compare False (5)
*FALSE*
BUT
ldapcompare -D "uid=testuser,ou=Users,dc=domain,dc=net" -w test "uid= testuser,ou=Users,dc=domain,dc=net" -v userPassword::e1NTSEF9L0NFMERQNTVtOU82T09HK1AzQVdNZG9nU2x6Z0FwTGw=
ldap_initialize( <DEFAULT> )
DN:uid= testuser,ou=Users,dc=domain,dc=net, attr:userPassword, value::e1NTSEF9L0NFMERQNTVtOU82T09HK1AzQVdNZG9nU2x6Z0FwTGw=
Compare Result: Compare True (6)
*TRUE*
I know that the problem is not with ldapcompare but I can't figure our where it is.
Thank You,
Szilard Gyorgy
On Wednesday, 15 February 2012 15:21:53 Szilard Gyorgy wrote:
HI Suomi
Yes, but I need all this for my Cisco router
AFAIK, Cisco routers don't support LDAP authentication, but instead RADIUS (e.g. for VPN authentication), TACACS+ and Kerberos (e.g. administrative acces).
Maybe you can provide more information on the software that actually communicates with LDAP (such as your RADIUS server).
where I can't do any pre encryption - the password is sent for compaction in clear text so I need to make that compare to return true if the password is correct.
An LDAP client that can't do a simple bind is a broken LDAP client. FreeRADIUS may by default do a compare, but it can be configured to bind instead.
Can I setup ldap to store the password in different format ?
That would reduce your overall security.
Regards, Buchan
On Wed, 15 Feb 2012 13:38:17 +0200, "Szilard Gyorgy" szilard@gyorgy.net wrote:
ldapcompare -D "uid=testuser,ou=Users,dc=domain,dc=net" -w test "uid=testuser,ou=Users,dc=domain,dc=net" -v userPassword:test
Why are you using compare at all? The server already checked the password when it accepted your Bind with -D and -w <password>. I don't think there's an ldap tool which does nothing but Bind, so you have to ask it to do something afterwards but it doesn't really matter what. In such cases I usually use ldapwhoami:
ldapwhoami -x -D "uid=testuser,ou=Users,dc=domain,dc=net" -w test
The -x disables SASL, which you do not use or want with -D/-w. SASL is on by default if you have compiled in support for it.
BTW, maybe you want to use -y <file> for the password instead. Note that the file contents must NOT end with a newline, unless the newline is part of the password.
Hallvard
Hi Hallvard
I use the compare tool just for testing
The problem is when I try to login to my Cisco router (using ldap) I got compare false error message. After that I tested the same password with this tool and I got the same result.
If I give the same password what i used to login why not working ? Ok is different encryption - how can I change it ?
PS: I need to have the compare function working with clear text password - if not working with the own ldap compare tool I can't expect that will work with the router.
Best, Szilard
-----Original Message----- From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Hallvard B Furuseth Sent: Wednesday, February 15, 2012 4:19 PM To: Szilard Gyorgy Cc: openldap-technical@openldap.org Subject: Re: authentification issue with clear text password
On Wed, 15 Feb 2012 13:38:17 +0200, "Szilard Gyorgy" szilard@gyorgy.net wrote:
ldapcompare -D "uid=testuser,ou=Users,dc=domain,dc=net" -w test "uid=testuser,ou=Users,dc=domain,dc=net" -v userPassword:test
Why are you using compare at all? The server already checked the password when it accepted your Bind with -D and -w <password>. I don't think there's an ldap tool which does nothing but Bind, so you have to ask it to do something afterwards but it doesn't really matter what. In such cases I usually use ldapwhoami:
ldapwhoami -x -D "uid=testuser,ou=Users,dc=domain,dc=net" -w test
The -x disables SASL, which you do not use or want with -D/-w. SASL is on by default if you have compiled in support for it.
BTW, maybe you want to use -y <file> for the password instead. Note that the file contents must NOT end with a newline, unless the newline is part of the password.
Hallvard
On Wed, 15 Feb 2012 16:35:38 +0200, Szilard Gyorgy wrote:
Hi Hallvard
I use the compare tool just for testing
The problem is when I try to login to my Cisco router (using ldap) I got compare false error message. After that I tested the same password with this tool and I got the same result.
That's working as intended.
If I give the same password what i used to login why not working ? Ok is different encryption - how can I change it ?
The Bind operation treats the userPassword attribute specially and pays attention to encryption, while the Compare operation just considers userPassword an ordinary attribute and compares it as-is. For Compare to work, you must store the cleartext password with ldapmodify. However slapd might be configured so Bind does not support cleartext userPassword...
BTW, also note that tools like ldapsearch displays the password base64-encoded. The '::' after the attribute name indicates this. That's a client-side matter, but might add some extra confusion.
PS: I need to have the compare function working with clear text password - if not working with the own ldap compare tool I can't expect that will work with the router.
I hope you are testing the wrong thing. I don't know do why you can't expect that, it is working as specified after all. But then, I don't know how your router uses LDAP. You can hide userPassword with access controls so people only can compare and Bind, but not read it. But it's better if the password can never be read. In which case it also there is also no need to store it in cleartext.
openldap-technical@openldap.org
-
anax -
Buchan Milne -
Hallvard B Furuseth -
Szilard Gyorgy