0

I'm just learning about LDAP, and there's something I don't quite understand.

When we create users in a directory, we define their password using the userPassword. When we use for example the {SSHA} scheme, as far as I understand, it works like this: We take the cleartext password, add to it some random salt, and hash it all together. We then store this value in the userPassword attribute.

Now, say I have some application that needs to authenticate a user using this directory. The application prompts the user to enter Username and Password. Now, the application queries the directory to search for the relevant user entry.

Then, the application needs to compare the password that the user entered with the userPassword attribute. But this is what I don't understand - how does the application know the random salt that was generated when the user was first registered to the directory?

YoavKlein
  • 2,005
  • 9
  • 38
  • 1
    "The application needs to compare the password that the user entered with the userPassword attribute.". No it doesn't. The application should attempt to bind as that user with that password. The LDAP server will do the checking, and everything to do with hashing the supplied password. – user207421 Jun 12 '23 at 12:06
  • 1
    Does this answer your question? [Verify LDAP user password with SSHA-512 hash method](https://stackoverflow.com/questions/17877432/verify-ldap-user-password-with-ssha-512-hash-method) – user207421 Jun 13 '23 at 08:13
  • See answers [here](https://stackoverflow.com/a/17903977/207421) and [here](https://stackoverflow.com/a/16168560/207421). – user207421 Jun 13 '23 at 08:15

0 Answers0