LDAP password generation

cele_82 · 05-06-2014, 07:40 PM

Hi,
I have a quick question, probably easy for someone that knows already how this works.

If using this command to generate an LDAP password

Quote:

[root@CENTOS6 ~]# slappasswd -s password -h '{CRYPT}'
{CRYPT}br7QH37oXbKf6
[root@CENTOS6 ~]# slappasswd -s password -h '{CRYPT}'
{CRYPT}Sf/rqvVc3Usvc
[root@CENTOS6 ~]# slappasswd -s password -h '{CRYPT}'
{CRYPT}SVWRaOz3rjmGA
[root@CENTOS6 ~]# slappasswd -s password -h '{CRYPT}'
{CRYPT}n2J0VEfyLj55g
[root@CENTOS6 ~]# slappasswd -s password -h '{CRYPT}'
{CRYPT}CjO854tVYj.WU

I get a password different all the time. I guess it's because it's salted ? What I don't understand is why is it changing all the time I ran the command ? Is it based on some hardware clock or random numbers ?

IF so how the client and server can agree on the a successful login ? Is hte client encrypting password and then matching that somehow with a password stored in a file ?

Please help me to understand this.
Thanks!

sundialsvcs · 05-12-2014, 05:51 AM

Start by reading a little farther along in man slappasswd:

Quote:

-c crypt-salt-format
Specify the format of the salt passed to crypt(3) when generating {CRYPT} passwords. This string needs to be in sprintf(3) format and may include one (and only one) %s conversion. This conversion will be substituted with a string of random characters from [A-Za-z0-9./]. For example, '%.2s' provides a two character salt and '$1$%.8s' tells some versions of crypt(3) to use an MD5 algorithm and provides 8 random characters of salt. The default is '%s', which provides 31 characters of salt.
[ ... ]
The hashed password values should be protected as if they were cleartext passwords.

So ... (some might add, "of course ...") the hash is salted. So, a very large number of 'different' strings can be used to convey the same secret.

cele_82 · 05-12-2014, 08:15 AM

Thank you very much for your answer. Could you explain me how client and server can agree a login ? I mean I'm not sure if the client sends the password securely to server and the server encrypt that and matches it to the one in the file/database.

If so, I don't understand how this works ? I mean if the hash always changes how the server can compare it to the hash of the password used for login ? Is the salt always the same ?

Thanks