How do I store and then check a hashed password in ApacheDS?

Question

I'm trying to add users to an ApacheDS directory (I'm using the .NET DirectoryServices API) and I'm hitting an error when saving the entry to the directory.

As far as I can see, the password is stored as a Salted SHA hash and in order to verify a user-entered password, I will need to know the original hash, right?

Using Apache Directory Studio, I can see the original salt using the "Password Editor", so the salt is obviously stored somewhere, so how do I store the salt in the directory entry so that I can later retrieve it to salt and hash the user input and check against the stored password?

If your objective is to verify the user, then you should perform a bind (provide the users DN and cleartext password) for the user against the LDAP instance. You should never need the hash itself. — jwilleke, Jan 31 '15 at 10:29
Not necessarily. You can authenticate as an application and check other users passwords. — user2108278, Feb 22 '17 at 13:04

score 0 · Answer 1 · answered Feb 04 '15 at 03:39

0

The salt is stored along with the hash, you can strip the hashing mechanism name found in the beginning of the value of 'userPassword'(e.g. {ssha}) and then extract salt and password from the remaining value based on the type of the hashing mechanism.

answered Feb 04 '15 at 03:39

kayyagari

1,882
13
10

1

Usually an application cannot access to the password field. I needs to issue an LDAP compare. – user2108278 Feb 22 '17 at 13:06

How do I store and then check a hashed password in ApacheDS?

1 Answers1