LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 09-26-2011, 11:56 PM   #1
chakkerz
Member
 
Registered: Dec 2002
Location: Brisbane, Australia
Distribution: RedHat (RHEL, FC, CentOS), openSuSE, Mac OS X
Posts: 653

Rep: Reputation: 32
ldap userPassword to /etc/shadow hash


Hello there

I'm trying to get a the output of openldap's userPassword into a form that I can use in an /etc/shadow file.

At this point I'm getting the following back from my python code:

Code:
{SHA}Ze+rczxx0HMdPbHNwVE1JTPyCi4=
But i have no idea how this relates to a working password hash / string in /etc/shadow .

Is there a way to take that output and make it something i can insert into /etc/shadow to authenticate against? (preferably using python)

Last edited by chakkerz; 09-26-2011 at 11:57 PM. Reason: code tags wrong
 
Old 09-27-2011, 01:16 AM   #2
A.Thyssen
Member
 
Registered: May 2006
Location: Brisbane, Australia
Posts: 119

Rep: Reputation: 32
Hello fellow brisbanite!

Sorry what you have can not be used as a shadow password file which makes use of the GNU crypt() library function. See man crypt for more details.

the shadow file password field not only requires the encrypted password, but also the hashing method and the salt that was used for the encryption to form a character sequence such as
Code:
$5${salt}${encrypted_password}
where '5' is for SHA-256 hashing function.
What you have MAY correspond to '{encrypted_password}' part but without a salt that is useless. It also appears to be a little short for a SHA-256 encryption, perhaps it is only SHA-128 which is not supported.

There is also the problem of exactly how OpenLDAP is representing binary data in an ASCII form. It looks like it is a base64 encoding (the = fill characters at the end is a give-a-way), which should be compatible.

In summery, No you can not used it in the shadow file, at least not as is.

Does anyone have info on the OpenLDAPs password hashing method?

Last edited by A.Thyssen; 09-27-2011 at 01:17 AM.
 
Old 09-27-2011, 02:11 AM   #3
chakkerz
Member
 
Registered: Dec 2002
Location: Brisbane, Australia
Distribution: RedHat (RHEL, FC, CentOS), openSuSE, Mac OS X
Posts: 653

Original Poster
Rep: Reputation: 32
Yeah I came to that conclusion as well (especially after finding Frantisek Hanzlik's post on the subject that's mirrored everywhere see http://lists.fedoraproject.org/piper...ry/008805.html ).

I've decided to go with clear and storing an md5 hash in the field in a secondary userPassword field, getting python to query for all of the users passwords and then deploying the one that .startswith("$1$") and if none is found using "!!" .

Most of my authentication is handled by sssd, so we'll see how that goes with having two passwords to choose from... and I just (famous last word) need the md5 for FreeBSD and Solaris hosts, so my authentication is managed in a central location.

Thanks for the info!
 
  


Reply

Tags
ldap, shadow, userpassword


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
/etc/shadow hash changes? Oxagast Linux - Security 1 12-28-2008 12:07 PM
Need a user friendly tool for users to change ldap userpassword Niceman2005 Linux - Software 3 08-27-2007 08:54 PM
perl + ldap + userPassword hash ANU Programming 1 10-26-2006 10:49 AM
changing the /etc/shadow hash algo. zerg4141 Linux - Security 2 08-07-2006 08:32 PM
LDAP Authentication(UserPassword validation) joeyBig Linux - General 4 09-21-2004 05:50 PM


All times are GMT -5. The time now is 12:04 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration