How to make ldap evaluate clear text password vs DES stored password

Question

I use openldap slapd 2.4.40 and postgresql9.2.23 as back-sql on CentoS 6.9

user and password for LDAP uid and userPassword are stored in postgresql by DES encoding.

Original clear text is JacicFk5

DES encoded/encrypted text is IfjFxsltK/MPE which stored in DB.

I can see the user information as the result of ldapseach by stored password.

ldapsearch -x  -b "dc=example,dc=com" -D uid="HDZZZ0R0N,ou=people,dc=example,dc=com" -w IfjFxsltK/MPE '(&(uid= HDZZZ0R0N)(objectClass=*))'          
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (&(uid= HDZZZ0R0N)(objectClass=*))
# requesting: ALL
#

# user01, people, example.com
dn: uid= HDZZZ0R0N,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
cn:: W+aOkl3lia/nlKPnianjg6Hjg7Pjg4bjg4rjg7PjgrnvvIgzNu+8iVNURw==
sn:: W+aOkl3lia/nlKPnianjg6Hjg7Pjg4bjg4rjg7PjgrnvvIgzNu+8iVNURw==
uid: HDZZZ0R0N
userPassword:: SWZqRnhzbHRLL01QRQ==

However, I can’t do ldapsearch by original clear text password

ldapsearch -x -b "dc=example,dc=com" -D uid="HDZZZ0R0N,ou=people,dc=example,dc=com" -w JacicFk5 '(&(uid= HDZZZ0R0N)(objectClass=*))'
ldap_bind: Invalid credentials (49)

Does anyone tell me how to make ldapsearch to resolve given password by clear text and stored password by DES encoding?

I’d like to know is how to make plaintext JacicFk5 from ldapseach command-line to hash IfjFxsltK/MPE and make it match against IfjFxsltK/MPE in DB as userPassowrd.

Is there suitable directive for ldap.conf or slapd.conf?

I've checked followings .

echo "SWZqRnhzbHRLL01QRQ==" |perl -MMIME::Base64 -ne 'print decode_base64($_) . "\n"'

it returns IfjFxsltK/MPE

perl -e 'print("userPassword: {crypt}".crypt("JacicFk5","If")."\n");'

it returns userPassword: {crypt}IfjFxsltK/MPE

One more info. my ldapseach can solve password text for users stored in AD server via ownclod.

Well I wanted to convert all passwords stored in LDAP to plaintext. I have always done it the other way around. Since my answer did not help you I'm deleting it. — tukan, Sep 13 '18 at 13:11
According to configure file for slapd2.4.40 `ppolicy` is not enabled unless swich was on. `-enable-ppolicy Password Policy overlay no|yes|mod [no]` Mine is package for CentOS. I can't change. — user1345414, Sep 14 '18 at 09:18
I build same version of slapd by my self with enabling ppolicy.Nothing change. — user1345414, Sep 14 '18 at 13:40
I'm ready to customize slapd source now.Does anyone tell me which source file is the best to add DES encryption to make creartext password match against stored password? — user1345414, Sep 14 '18 at 14:11
Ok, I have undeleted the post. You can use crypt (3) `http://man7.org/linux/man-pages/man3/crypt.3.html` (note: he DES algorithm itself has a few quirks which make the use of the crypt() interface a very poor choice for anything other than password authentication. ) — tukan, Sep 14 '18 at 14:24

score 1 · Accepted Answer · answered Sep 12 '18 at 10:02

1

What you want/need to have is a LDAP simple authentication. Please first note that it is unsecure to store passwords in plaintext!

First you need to test what auth mechanisms you have supported/allowed.

An example:

tukanos@localhost:~# ldapsearch -H ldap:// -x -LLL -s base -b "" supportedSASLMechanisms
dn:
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: NTLM

Now you want to change the onfiguration via ldapmodify. You prepare a LDIF file (LDIF stands for LDAP Data Interchangable Format) with configuration.

Prepare your configuration file you can name it olcSaslSecProps.ldif:

dn: cn=config
replace: olcSaslSecProps
olcSaslSecProps: noanonymous,minssf=0,passcred

What the properties mean:

noanonymous ... no anonymous connection allowed
minssf=0 ... that defines your effective encryption strength (0 ... no encryption)
passcred ... that would allow password to work as for credentials

To quote the OpenLDAP security considerations

Security Strength Factors

The server uses Security Strength Factors (SSF) to indicate the relative strength of protection. A SSF of zero (0) indicates no protections are in place. A SSF of one (1) indicates integrity protection are in place. A SSF greater than one (>1) roughly correlates to the effective encryption key length. For example, DES is 56, 3DES is 112, and AES 128, 192, or 256.

A number of administrative controls rely on SSFs associated with TLS and SASL protection in place on an LDAP session.

security controls disallow operations when appropriate protections are not in place. For example:
    security ssf=1 update_ssf=112
requires integrity protection for all operations and encryption protection, 3DES equivalent, for update operations (e.g. add, delete, modify, etc.). See slapd.conf(5) for details.

Now to apply the LDIF file:

ldapmodify -Y EXTERNAL -H ldapi:// -f ./olcSaslSecProps.ldif

Now to restart the slapd daemon:

systemctl restart slapd

If you check now your configuration you should get LOGIN and PLAIN:

ldapsearch -H ldap:// -x -LLL -s base -b "" supportedSASLMechanisms
dn:
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: LOGIN

Now your search should work with plain test password:

ldapsearch -x  -b "dc=example,dc=com" -D uid="HDZZZ0R0N,ou=people,dc=example,dc=com" -w JacicFk5 '(&(uid= HDZZZ0R0N)(objectClass=*))'

answered Sep 12 '18 at 10:02

tukan

17,050
1
20
48

Thanks.I tried.However,`ldapsearch -H ldap:// -x -LLL -s base -b "" supportedSASLMechanisms ` dosen't return auth mechanisms before and after applying LDIF. And I can't still login by ORIGINAL password. – user1345414 Sep 12 '18 at 11:34
@user1345414 did you change the default port other than `389`? Could you try `ldapsearch -h localhost -p 389 -x -b "dc=example,dc=com" -s base -LLL supportedSASLMechanisms`? – tukan Sep 12 '18 at 11:38
I did. And slapd just returns `dn: dc=example,dc=com` Also I tried `ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn` and slapd returns `SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Authentication method not supported (7) additional info: SASL(-4): no mechanism available: security flags do not match required` – user1345414 Sep 12 '18 at 11:53
@user1345414 Hmm could you share the config file? `slapcat -F /etc/ldap/slapd.d -b cn=config -l config.ldif` (please replace any sensitive information) – tukan Sep 12 '18 at 11:59
your command returns `5b990171 str2entry: entry -1 has no dn slapcat: bad configuration directory!` . But I have cn=config.ldif file `dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/openldap/slapd.args olcPidFile: /var/run/openldap/slapd.pid structuralObjectClass: olcGlobal entryUUID: 655d9802-393b-1038-89bd-8f0c8273e5e3 creatorsName: cn=config createTimestamp: 20180821030943Z olcPasswordHash: {CRYPT} olcSizeLimit: 5000 olcPasswordCryptSaltFormat: "_%s" olcSaslSecProps: noanonymous,minssf=0,passcred` – user1345414 Sep 12 '18 at 12:10
`entryCSN: 20180912112827.600157Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20180912112827Z` – user1345414 Sep 12 '18 at 12:10
@user1345414 Thanks. I see you are using `olcPasswordHash: {CRYPT}` (that is the DES you are getting - crypt(3) function) - OS encryption. I thought you are using SASL (you can remove the configuration I wrote as it is irrelevant for you). could you try `olcPasswordHash: {PLAIN}`? – tukan Sep 12 '18 at 13:15
i'll try to do that at the next time. i can't tuch the server now. maybe 12 hours for waitig i need.thanks anyway. – user1345414 Sep 12 '18 at 13:31
@user1345414: Ok, I have checked the `man` and it should be CLEARTEXT instead of PLAIN. Also add `olcPPolicyHashCleartext: TRUE` ("This attribute/directive tells the server to save cleartext passwords") – tukan Sep 12 '18 at 13:44
I had destoried my slapd.Now I recovered it.Result will be next comment. – user1345414 Sep 13 '18 at 02:25
`SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=config" ldap_modify: Undefined attribute type (17) additional info: olcPPolicyHashCleartext: attribute type undefined` – user1345414 Sep 13 '18 at 02:26
`SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=config" ldap_modify: Other (e.g., implementation specific) error (80) additional info: no valid hashes found` – user1345414 Sep 13 '18 at 02:26
One question is how slapd resolve `JacicFk5` from command line aginst `IfjFxsltK/MPE` in RDB this time. I think your method needs slapd to hash `JacicFk5` into `IfjFxsltK/MPE`. – user1345414 Sep 13 '18 at 04:03
@user1345414 Well I wanted to convert all passwords stored in LDAP to plaintext. I have always done it the other way around. – tukan Sep 13 '18 at 13:11
thanks revaibal.my issue haven't solved yet,but i want give you my bounty point which already expired. how should i do. i mean operation of this site. – user1345414 Sep 14 '18 at 14:27
@user1345414 you accept the answer and below you award the points. (with the check) – tukan Sep 14 '18 at 14:32
@user1345414 here is how it works: https://meta.stackexchange.com/questions/16065/how-does-the-bounty-system-work – tukan Sep 14 '18 at 14:33
@user1345414 Thank you :). – tukan Sep 14 '18 at 14:37
did you get it? – user1345414 Sep 14 '18 at 14:37
i still need your help.see you next week. – user1345414 Sep 14 '18 at 14:38
@user1345414 yes I got it. We can have chat to see if I can help you. – tukan Sep 14 '18 at 16:13
I haven't been able to find the source file which ldap is comparing input password and stored userPassword so far.I'm ready to have chat if you don't mind . – user1345414 Sep 18 '18 at 10:23
@user1345414 here is the chatroom - https://chat.stackoverflow.com/rooms/180263/room-for-tukan-and-user1345414 – tukan Sep 18 '18 at 11:34
Finally i found I must add {CRYPT} on the top of DES text stored in RDB. – user1345414 Sep 25 '18 at 02:59
@user1345414 congratulations. You can create a complete docs and add it as answer I'll upvote it. – tukan Sep 25 '18 at 07:48

How to make ldap evaluate clear text password vs DES stored password

1 Answers1