Is possible to configure OpenLDAP Crypt passwords without using a salt?

Question

From the docs I got this config that works but use a salt,

password-hash {CRYPT} password-crypt-salt-format "$6$%.16s"

and I need to store passwords in the LDAP directory that have been generated without salt encryption.

because I need to store a lot of password in the insecure format in the directory — Eric Nordelo Galiano, Apr 07 '19 at 03:41

EricLavault · Accepted Answer · 2019-04-09T17:25:12.393

You had better to use another password storage scheme that does not do salting like {SHA} or {MD5} instead of {CRYPT} :

password-hash {SHA}

If using {CRYPT} is a requirement :

You can still provide a static salt (! bad, unsecure, nearly as if no salt !), just comply with the given format:

password-crypt-salt-format "$6$%.16s"

$6$ is the crypt identifier for the SHA512 schema, and we provide a 16-chars long salt :

~$ mkpasswd -m sha-512 --salt 'verybadseasoning' secret1
$6$verybadseasoning$Q2kceqwB2uYT2tU./QF.qRCIWjMQdObEAZ71Ni5Ko1zJOnxUwpu3oMeyjtgiR3hSVHIT20Ay9V1.pXaNhkHYk/

~$ mkpasswd -m sha-512 --salt 'verybadseasoning' secret2
$6$verybadseasoning$SHof1u2BCPJhYoVOk.LkWax7n5g28rzMkNCRAC5NmlT29GSeWLAlv2AoSkOS4rYfMUXsmTcyIxKDUU8aL7TlP0

Note that mkpasswd won't allow using an empty salt :

~$ mkpasswd -m sha-512 --salt '' secret
Wrong salt length: 0 bytes when 8 <= n <= 16 expected.

Or you can try to make crypt ignore the given/generated salt string whatever it is (by taking zero character from it) :
```
password-crypt-salt-format "$6$%.0s"
```
It tells crypt() to use a SHA512 algorithm, the %s being substituted with a string of zero characters of salt (%.0s). I can't tell if slapd makes the %s conversion mandatory or not, but setting just "$6$" without any substitution for salting may do the trick as it means the same (no salt), i.e :
```
~$ php -r 'print(crypt("secret", "$6$"));'
$6$$2M9DchxW4txWyTYoZrH9D3VvAAQxBpEezYsLY6Cao.jwzEXpyL9xwip9hiUZX7GqTqe/E/z6iKvZqXUuqniQH.
```

See slapd.conf(5)

Note that a lack of salt exposes your system to dictionary attacks.

In this format "$6$%.0s" it would ignore the token too, and I want to ignore just the salt, sorry if I'm missing something, and thanks for your answer — Eric Nordelo Galiano, Apr 08 '19 at 15:23
No this is a way to specify `$6$` alone (no salt). `password-crypt-salt-format` expects a string in [sprintf(3)](https://linux.die.net/man/3/sprintf) format. `$6$%.0s` actually tells crypt() to use SHA512 (`$6$`), with a substituted string of 0 characters (`%.0s`) from any passed-in or generated salt. See the php implementation example, the output shows an empty salt ($$) followed by the encrypted hash as expected. I updated the answer and hope it's clearer now. — EricLavault, Apr 09 '19 at 17:36

score 0 · Answer 2 · answered Apr 06 '19 at 16:02

You can simply import user entries with existing userPassword values without salt. The password verification will work provided the hash scheme is one supported by your local OpenLDAP installation.

The config directives password-hash and password-crypt-salt-format when setting new passwords.

Is possible to configure OpenLDAP Crypt passwords without using a salt?

2 Answers2