ldap userPassword to /etc/shadow hash

chakkerz · 09-26-2011, 11:56 PM

Hello there

I'm trying to get a the output of openldap's userPassword into a form that I can use in an /etc/shadow file.

At this point I'm getting the following back from my python code:

Code:

{SHA}Ze+rczxx0HMdPbHNwVE1JTPyCi4=

But i have no idea how this relates to a working password hash / string in /etc/shadow .

Is there a way to take that output and make it something i can insert into /etc/shadow to authenticate against? (preferably using python)

A.Thyssen · 09-27-2011, 01:16 AM

Hello fellow brisbanite!

Sorry what you have can not be used as a shadow password file which makes use of the GNU crypt() library function. See man crypt for more details.

the shadow file password field not only requires the encrypted password, but also the hashing method and the salt that was used for the encryption to form a character sequence such as

Code:

$5${salt}${encrypted_password}

where '5' is for SHA-256 hashing function.
What you have MAY correspond to '{encrypted_password}' part but without a salt that is useless. It also appears to be a little short for a SHA-256 encryption, perhaps it is only SHA-128 which is not supported.

There is also the problem of exactly how OpenLDAP is representing binary data in an ASCII form. It looks like it is a base64 encoding (the = fill characters at the end is a give-a-way), which should be compatible.

In summery, No you can not used it in the shadow file, at least not as is.

Does anyone have info on the OpenLDAPs password hashing method?

chakkerz · 09-27-2011, 02:11 AM

Yeah I came to that conclusion as well (especially after finding Frantisek Hanzlik's post on the subject that's mirrored everywhere see http://lists.fedoraproject.org/piper...ry/008805.html ).

I've decided to go with clear and storing an md5 hash in the field in a secondary userPassword field, getting python to query for all of the users passwords and then deploying the one that .startswith("$1$") and if none is found using "!!" .

Most of my authentication is handled by sssd, so we'll see how that goes with having two passwords to choose from... and I just (famous last word) need the md5 for FreeBSD and Solaris hosts, so my authentication is managed in a central location.

Thanks for the info!