On Tue, 21 Jan 2003, Timm Korte wrote:
> Hi
>
> I think, this might rather be a password-hashing problem... when crating a
> SSHA Password Hash, a "salt" is used - which might/should be some attribute of
> the user - such as the uid.
> When cpoying an SSHA "hash" from user "A" to user "B" - User "B" won't be
> able to log in with user "A"'s password.
> When comparing the password attributes are being compared, a new SSHA "hash"
> is calculated first, unsing the username "B" as salt. This is then compared
> to the hash that was calculated using the username "A" in the first place.
> This compare will fail.
I'm pretty sure SHA doesn't use the uid as a salt. That would reduce the
effectiveness of the encryption dramatically. I have moved MD5 & SHA
encrypted passwords between accound and even changed DN and UID attributes
on the fly with no ill effect.
-Matt
>
> greetings & bye
>
> Timm
>
> > I created a new user entry and used
> > userPassword:{SSHA}22onNmlYVY5lUwkx0zkzb+LYODZTLp1Z in the .ldif file. I
> > simply substituted all the aaron13 string to aaron14 in the ldif file and
> > then loaded the file into ldap.
> > Now when I try to login I get the message below.
> > Could my ldif file be wrong (I've attached it), kindly see attachment.
> >
> > [aaron@development aaron]$ telnet localhost 110
> > Trying 127.0.0.1...
> > Connected to development (127.0.0.1).
> > Escape character is '^]'.
> > +OK <[EMAIL PROTECTED]>
> > user aaron14
> > +OK
> > pass aaron
> > -ERR user record incorrect
> > Connection closed by foreign host.
> >
> >
> > Allan Kamau.
> >
> >
> > -----Original Message-----
> > From: Claudio Jeker [mailto:[EMAIL PROTECTED]]
> > Sent: 21 January 2003 11:01
> > To: [EMAIL PROTECTED]
> > Subject: Re: libsasl.so.7: failed error
> >
> > On Tue, Jan 21, 2003 at 01:51:28AM -0500, Speedfreak wrote:
> > > On January 21, 2003 12:59 am, Kamau Allan wrote:
> > > > And my aaron13.ldif which I used in creating the user's entry into
> > > > openLDAP is as flows.
> > > >
> > > > dn:uid=aaron13,dc=arril,dc=net
> > > > userPassword:aaron
> > >
> > > I don't think "userPassword:aaron" will work unless you have
> > > -DCLEARTEXTPASSWORD enabled in the Makefile. Try setting
> > > "userPassword:{SSHA}22onNmlYVY5lUwkx0zkzb+LYODZTLp1Z" (ie. sha hash
> > > of the string 'aaron') instead. You can get the hash using
> > > slappasswd with OpenLDAP.
> > >
> >
> > Another problem is that the uid is aaron13 and the uid is used for the
> > auth_* lookup in ldap not the mail address.
> >
> > --
> > :wq Claudio
> >
> >
>
>
--
----------------------------------------------------------------------
Matthew S. Crocker
Vice President / Internet Division Email: [EMAIL PROTECTED]
Crocker Communications Phone: (413) 746-2760
PO BOX 710 Fax: (413) 746-3704
Greenfield, MA 01302-0710 http://www.crocker.com
----------------------------------------------------------------------
