On 03/27/2018 09:11 PM, Joe Cooter wrote:
> Hi,
>
> I’m attempting to build an application using the userPassword attribute, with
> hashes stored using PBKDF2_SHA256. However, using the passlib hash library
> for pbkdf2_sha256 is complaining about a malformed hash. Looking at the
> hash, it appears that there aren’t any delimiters between the salt,
> iterations, etc.
>
> Is there some additional encoding happening on the userPassword attribute?
The server stores the password as follows:
dn: uid=mark,dc=example,dc=com
userpassword::
e1BCS0RGMl9TSEEyNTZ9QUFBSUFFb3A0VVVUUFRjL2E2NStDS3U5cmdFa0RML0V
2NmhIamZaRDlQRXFLSFNraStrYXZYTWx6ZTZzOGsrNnFYT3I3amtjZXFpMUlZR0dndlpyK2hMczVn
cjhSRXNSSVRzSUxZVzlJTnU5RUNWOVQ2ZzhvTUphQTErbDkxZGxNR20yUjVYR0h2UmlqczlmQlk3T
zg0NGYvYk1OR0tqaXJKUHlVKzJwVVhoMzBGaS9GV0I0VW1ia2JOVmg0RGd5c0ZFOHZLOXI4RVN3RV
JJUXdHUkJOVXpuZXBJUVNmNEhUYTBQQU1HaEZjelhjekdTeUY1a3pDWGo2LzBpVWRDRDVydWJGMzc
0TWl3VXVrQmlKaklsRkhheUMwV0N2dWtZNkVmQ1BESFNrRjNGaThlVHNjZGxGSitDcFRSME1pVStP
T1R3Qkt4MGRsMGpUYU8yVzQyVFFCcnY2MUtsUUovV05NQkpMVmRreWRhT3J1L0xJcVhha3hrblZMe
G9kTS96d1dzVmZYempSQjhQRGxZalpyR3lhSjZ1YWlYSStEWXUzYzVvWlcrSUx3YjdEazB3
base64 decoding the password gives us:
{PBKDF2_SHA256}AAAIAEop4UUTPTc/a65+CKu9rgEkDL/Ev6hHjfZD9PEqKHSki+kavXMlze6s8k+6qXOr7jkceqi1IYGGgvZr+hLs5gr8REsRITsILYW9INu9ECV9T6g8oMJaA1+l91dlMGm2R5XGHvRijs9fBY7O844f/bMNGKjirJPyU+2pUXh30Fi/FWB4UmbkbNVh4DgysFE8vK9r8ESwERIQwGRBNUznepIQSf4HTa0PAMGhFczXczGSyF5kzCXj6/0iUdCD5rubF374MiwUukBiJjIlFHayC0WCvukY6EfCPDHSkF3Fi8eTscdlFJ+CpTR0MiU+OOTwBKx0dl0jTaO2W42TQBrv61KlQJ/WNMBJLVdkydaOru/LIqXakxknVLxodM/zwWsVfXzjRB8PDlYjZrGyaJ6uaiXI+DYu3c5oZW+ILwb7Dk0w
In 389 Directory Server it looks at the password encoding prefix:
{ALGO} --> {PBKDF2_SHA256} the rest is the complete password hash
The salt length is 64 and iterations length is 4:
#define PBKDF2_SALT_LENGTH 64
#define PBKDF2_ITERATIONS_LENGTH 4
In pbkdf2_sha256_pw_enc_rounds() in
ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c
we write the hash like so:
pbkdf2_sha256_hash(hash + PBKDF2_ITERATIONS_LENGTH + PBKDF2_SALT_LENGTH,
...);
So the password hash itself should be everything after an offset of 68
(PBKDF2_ITERATIONS_LENGTH + PBKDF2_SALT_LENGTH).
HTH,
Mark
> _______________________________________________
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
