3

I have a set of users in my OpenLDAP and i wish to get some information from them, for example "cn" and "userPassword".

However when i retrieve these details the password isnt in plain text even though it is set to this in my LDAP server.

Any ideas how to solve this?

odtf
  • 79
  • 1
  • 2
  • 9
  • 1
    Are you legally authorized to do this? If so, you should start with finding out the algorithms used, and the locations of the keys used for encryption. – Vineet Reynolds May 09 '11 at 15:07
  • 1
    You really want to read/decrypt passwords? That doesn't seem prudent. Usually LDAP systems work very hard to make sure passwords aren't decryptable. – IAmTimCorey May 09 '11 at 15:09
  • Yes i am, its just some test work - i just want the ability to parse the same details of the ldap through to another login system so the user doesnt have to input the details again. this ldap system is my own, with a simple set up - hence the reason ive set userPassword to 'clear text' – odtf May 09 '11 at 15:20
  • 1
    I think you need a SSO solution running off OpenLDAP. That is typically how you would prevent the need for users to login multiple times when accessing different systems. – Vineet Reynolds May 09 '11 at 15:23
  • @Vineet - trying to create my own type of SSO mixed in with a few other things, so dont really want a ready made package – odtf May 09 '11 at 15:41

2 Answers2

6

The userPassword is generaly store in hashed form

userPassword: {hasAlgorithm}Hashed value

Example :

userPassword: {SSHA}DkMTwBl+a/3DQTxCYEApdUtNXGgdUac3

The userPassword attribute is allowed to have more than one value, and it is possible for each value to be stored in a different form. During authentication, slapd will iterate through the values until it finds one that matches the offered password or until it runs out of values to inspect. The storage scheme is stored as a prefix on the value

You can have :

CRYPT

This scheme uses the operating system's crypt(3) hash function. It normally produces the traditional Unix-style 13 character hash, but on systems with glibc2 it can also generate the more secure 34-byte MD5 hash

MD5

This scheme simply takes the MD5 hash of the password and stores it in base64 encoded form

SMD5

This improves on the basic MD5 scheme by adding salt (random data which means that there are many possible representations of a given plaintext password). For example, both of these values represent the same password

SSHA

This is the salted version of the SHA scheme. It is believed to be the most secure password storage scheme supported by slapd

Conclusion

Most of the time you don't have to recover password, You just have to compute the hash from the password given by the user in the login form and compare it with the one of userPassword.

JPBlanc
  • 70,406
  • 17
  • 130
  • 175
0

Your configuration has a password policy overlay that is configured to hash the plain text password. olcPPolicyHashCleartext: TRUE or ppolicy_hash_cleartext. Remove them and it should start storing the passwords in plain text.

That said, it isn't a good idea to store plain text passwords. At least encrypt it so that it can't be easily reversed by casual observers. And no, ROT13 or base64 encoding don't count.

user207421
  • 305,947
  • 44
  • 307
  • 483
Sam Corder
  • 5,374
  • 3
  • 25
  • 30