Hi I am using the default Ubuntu 12.10 openldap installation and have inherited an existing ldap setup. When I do a slapcat -n 1
It shows userPassword entries as follows:
userPassword:: e2NyeFB0fSQxJEkwKGc3bGJjJFpwL3JndlpCZDBlSPZuZGdoMFczTC8=
( password string has been edited... )
I am not sure how this is encoded... is there a way to find out? I have tried md5 which is currently the default encoding for our servers.
I have also tried slappasswd with various -h option to see if I can recreate the same hash if it is a hash.
I want to add new users using ldif and would like to encrypt/hash their passwords in a similar fashion if possible.
Any help would be appreciated.
Regards
Hello,
Seems to be base64 encoded {crypt} password
http://www.openldap.org/faq/data/cache/344.html
{crxPt}$1$I0(g7lbc$Zp/rgvZBd0eHöndgh0W3L/
Laurent
De : openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] De la part de Gerhardus Geldenhuis Envoyé : vendredi 15 mars 2013 15:58 À : openldap-technical@openldap.org Objet : Encryption or hash for password?
Hi I am using the default Ubuntu 12.10 openldap installation and have inherited an existing ldap setup. When I do a slapcat -n 1
It shows userPassword entries as follows:
userPassword:: e2NyeFB0fSQxJEkwKGc3bGJjJFpwL3JndlpCZDBlSPZuZGdoMFczTC8=
( password string has been edited... )
I am not sure how this is encoded... is there a way to find out? I have tried md5 which is currently the default encoding for our servers.
I have also tried slappasswd with various -h option to see if I can recreate the same hash if it is a hash.
I want to add new users using ldif and would like to encrypt/hash their passwords in a similar fashion if possible.
Any help would be appreciated.
Regards
-- Gerhardus Geldenhuis
________________________________
Le papier est un support de communication naturel, renouvelable et recyclable. Si vous devez imprimer ce mail, n'oubliez pas de le recycler.
Thanks, I thought crypt as well... but then I would expect it to look like: userPassword: {CRYPT}saHW9GdxihkGQ
instead slapcat generates: userPassword:: skadfjsajf=
Two small differences: there is two :: instead of one and all of the userPassword entries ends in =.
Regards
On 15 March 2013 15:19, Marot Laurent Laurent.Marot@alliacom.com wrote:
Hello,
Seems to be base64 encoded {crypt} password
http://www.openldap.org/faq/data/cache/344.html
{crxPt}$1$I0(g7lbc$Zp/rgvZBd0eHöndgh0W3L/
Laurent
*De :* openldap-technical-bounces@OpenLDAP.org [mailto: openldap-technical-bounces@OpenLDAP.org] *De la part de* Gerhardus Geldenhuis *Envoyé :* vendredi 15 mars 2013 15:58 *À :* openldap-technical@openldap.org *Objet :* Encryption or hash for password?
Hi
I am using the default Ubuntu 12.10 openldap installation and have inherited an existing ldap setup. When I do a slapcat -n 1
It shows userPassword entries as follows:
userPassword:: e2NyeFB0fSQxJEkwKGc3bGJjJFpwL3JndlpCZDBlSPZuZGdoMFczTC8=
( password string has been edited... )
I am not sure how this is encoded... is there a way to find out? I have tried md5 which is currently the default encoding for our servers.
I have also tried slappasswd with various -h option to see if I can recreate the same hash if it is a hash.
I want to add new users using ldif and would like to encrypt/hash their passwords in a similar fashion if possible.
Any help would be appreciated.
Regards
-- Gerhardus Geldenhuis
Le papier est un support de communication naturel, renouvelable et recyclable. Si vous devez imprimer ce mail, n’oubliez pas de le recycler.
Gerhardus Geldenhuis wrote:
Thanks, I thought crypt as well... but then I would expect it to look like: userPassword: {CRYPT}saHW9GdxihkGQ
instead slapcat generates: userPassword:: skadfjsajf=
Two small differences: there is two :: instead of one and all of the userPassword entries ends in =.
Read the ldif(5) manpage.
Regards
On 15 March 2013 15:19, Marot Laurent <Laurent.Marot@alliacom.com mailto:Laurent.Marot@alliacom.com> wrote:
Hello, Seems to be base64 encoded {crypt} password http://www.openldap.org/faq/data/cache/344.html {crxPt}$1$I0(g7lbc$Zp/rgvZBd0eHöndgh0W3L/ Laurent *De :*openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org <mailto:openldap-technical-bounces@OpenLDAP.org>] *De la part de* Gerhardus Geldenhuis *Envoyé :* vendredi 15 mars 2013 15:58 *À :* openldap-technical@openldap.org <mailto:openldap-technical@openldap.org> *Objet :* Encryption or hash for password? Hi I am using the default Ubuntu 12.10 openldap installation and have inherited an existing ldap setup. When I do a slapcat -n 1 It shows userPassword entries as follows: userPassword:: e2NyeFB0fSQxJEkwKGc3bGJjJFpwL3JndlpCZDBlSPZuZGdoMFczTC8= ( password string has been edited... ) I am not sure how this is encoded... is there a way to find out? I have tried md5 which is currently the default encoding for our servers. I have also tried slappasswd with various -h option to see if I can recreate the same hash if it is a hash. I want to add new users using ldif and would like to encrypt/hash their passwords in a similar fashion if possible. Any help would be appreciated. Regards -- Gerhardus Geldenhuis ------------------------------------------------------------------------------ Le papier est un support de communication naturel, renouvelable et recyclable. Si vous devez imprimer ce mail, n’oubliez pas de le recycler.-- Gerhardus Geldenhuis
On 03/15/2013 09:58 AM, Gerhardus Geldenhuis wrote:
Hi I am using the default Ubuntu 12.10 openldap installation and have inherited an existing ldap setup. When I do a slapcat -n 1
It shows userPassword entries as follows:
userPassword:: e2NyeFB0fSQxJEkwKGc3bGJjJFpwL3JndlpCZDBlSPZuZGdoMFczTC8=
( password string has been edited... )
I am not sure how this is encoded... is there a way to find out? I have tried md5 which is currently the default encoding for our servers.
I have also tried slappasswd with various -h option to see if I can recreate the same hash if it is a hash.
I want to add new users using ldif and would like to encrypt/hash their passwords in a similar fashion if possible.
Any help would be appreciated.
The double colon after the attribute name means it's Base64 encoded. So decode the base64 and you end up with this:
{crxPt}$1$I0(g7lbc$Zp/rgvZBd0eHöndgh0W3L/
which after your mangling still appears to be a CRYPT-MD5 password.
/* Wes Hardin */
Gerhardus Geldenhuis wrote:
Hi I am using the default Ubuntu 12.10 openldap installation and have inherited an existing ldap setup. When I do a slapcat -n 1
It shows userPassword entries as follows:
userPassword:: e2NyeFB0fSQxJEkwKGc3bGJjJFpwL3JndlpCZDBlSPZuZGdoMFczTC8=
Attributes which ends in a double colon are base64 encoded
( password string has been edited... )
I am not sure how this is encoded... is there a way to find out?
$ echo -n e1NTSEF9RndkTDkxVitzclFOTVJzR003dHNQMFptWGhySU1KVSs= |base64 -d {SSHA}FwdL91V+srQNMRsGM7tsP0ZmXhrIMJU+
I have written a small script "slappasswd-schemes" to show you all password schemes and how to generate and use them. Just give a password as param 1. Here the output:
$ ./slappasswd-schemes secret
All passwords are generated twice. If both are equal, the scheme does NOT use a salt.
In ldif syntax use either:
userPassword: {SSHA}2kleHu61nroaBkjRbw5/mT3JDQr/CLKz or the base64 encoded version userPassword:: e1NTSEF9RndkTDkxVitzclFOTVJzR003dHNQMFptWGhySU1KVSs=
for a SSHA password.
And now, all password hashes for the secret: secret
scheme: {CLEARTEXT} secret secret c2VjcmV0
scheme: {MD5} {MD5}Xr4ilOzQ4PCOq3aQ0qbuaQ== {MD5}Xr4ilOzQ4PCOq3aQ0qbuaQ== e01ENX1YcjRpbE96UTRQQ09xM2FRMHFidWFRPT0= scheme: {SMD5} {SMD5}AkT8L79k1jKIcXvzQk18X1rXVE0= {SMD5}KUAebeV3hV5w5i05vkH18wTwywM= e1NNRDV9SURyaDNoUUN2aVhxQ1V5VVRwOVh1NEcrbUlrPQ==
scheme: {SHA} {SHA}5en6G6MezRroT3XKqkdPOmY/BfQ= {SHA}5en6G6MezRroT3XKqkdPOmY/BfQ= e1NIQX01ZW42RzZNZXpScm9UM1hLcWtkUE9tWS9CZlE9
scheme: {SSHA} {SSHA}x10c3ncQnuohi5EzyMHu0pnMJ/Z/mdni {SSHA}9KFIC520ErEtljnQJgazgkHHQy0c1ZxV e1NTSEF9YjZwZVdkNjNoNWJ3SE1PYkJ2b3JVNmUwSFR4OWI2NFQ=
scheme: {CRYPT} {CRYPT}vqn1iuQszHYmM {CRYPT}Hz1hVbBFKmjnc e0NSWVBUfVhBdFIwajh1RnNnY3M=
scheme: {CRYPT} (MD5 based) {CRYPT}$1$fo2VmL12$.ElUOfaInJuVNWBrjXKpl/ {CRYPT}$1$ElnV9mg.$4kB2A38bsPdS.YdHONltV0 e0NSWVBUfSQxJEFNTzAyL3hDJHpnTlNWdXBhOHhGRklnLmVOY2dlUDA=
### The script #!/bin/bash cat <<end All passwords are generated twice. If both are equal, the scheme does NOT use a salt.
In ldif syntax use either:
userPassword: {SSHA}2kleHu61nroaBkjRbw5/mT3JDQr/CLKz or the base64 encoded version userPassword:: e1NTSEF9RndkTDkxVitzclFOTVJzR003dHNQMFptWGhySU1KVSs=
for a SSHA password.
And now, all password hashes for the secret: $1
end
export schemes="CLEARTEXT MD5 SMD5 SHA SSHA CRYPT"
for sch in $schemes ; do echo 'scheme: {'$sch'}' echo -n $(/usr/sbin/slappasswd -h '{'$sch'}' -s $1) &&echo echo -n $(/usr/sbin/slappasswd -h '{'$sch'}' -s $1) &&echo echo -n $(/usr/sbin/slappasswd -h '{'$sch'}' -s $1)|base64 &&echo
done
echo 'scheme: {CRYPT} (MD5 based)' echo -n $(/usr/sbin/slappasswd -c '$1$%.8s' -s $1) &&echo echo -n $(/usr/sbin/slappasswd -c '$1$%.8s' -s $1) &&echo echo -n $(/usr/sbin/slappasswd -c '$1$%.8s' -s $1)|base64 &&echo
openldap-technical@openldap.org
-
Gerhardus Geldenhuis -
harry.jede@arcor.de -
Howard Chu -
Marot Laurent -
Wes Hardin