On 30/03/2020 23:13, Lohr, Donald wrote:
I am not a Apache Directory Studio user (nor an ApacheDS LDAP admin)
but have done administration on a number of other LDAP products.
Are you using the ApacheDS LDAP product?
1) If the ApacheDS LDAP product follows the LDAP RFC then the
following is true about the userpassword attribute:
https://tools.ietf.org/html/rfc4519#section-2.41
2.41. 'userPassword'
The 'userPassword' attribute contains octet strings that are known
only to the user and the system to which the user has access. *Each
string is one value of this multi-valued attribute.*
The application SHOULD prepare textual strings used as passwords by
transcoding them to Unicode, applying SASLprep [RFC4013], and encoding
as UTF-8. The determination of whether a password is textual is a
local client matter. (Source: X.509 [X.509])
( 2.5.4.35 NAME 'userPassword'
EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
1.3.6.1.4.1.1466.115.121.1.40 refers to the Octet String syntax
[RFC4517].
Passwords are stored using an Octet String syntax and are not
encrypted. Transfer of cleartext passwords is strongly discouraged
where the underlying transport service cannot guarantee
confidentiality and may result in disclosure of the password to
unauthorized parties.
An example of a need for multiple values in the 'userPassword'
attribute is an environment where every month the user is expected
to use a different password generated by some automated system.
During transitional periods, like the last and first day of the
periods, it may be necessary to allow two passwords for the two
consecutive periods to be valid in the system.
2) How are you changing the password?
3) If you are using Directory Studio, all I can offer is try is try
their ldapmodify command line application:
https://directory.apache.org/apacheds/basic-ug/2.1.1-adding-entries.html
ldapmodify -h /serverIP/ -p /port#/ -D /adminAccount/ -w
/password/ -a -f replace.ldif
Say the user's dn you are talking about is:
/dn: cn=test,cn=users,dc=acme,dc=com/
...create the following ldif file (replace.ldif):
/dn: cn=test,cn=users,dc=acme,dc=com/
changetype: modify
replace: userpassword
userpassword: /aNewValue/
The replace: action will replace all items in a multi-valued attribute
with the listed. In this case /aNewValue/.
Everything I've put in italics you have to use your own values and
also meet whatever password policy your user with the issue is
controlled by.
That's all I have, sorry if it does not provide any assistance.
That pretty much sumups the situation.
I would just add that :
- having more than one hashed password is not an issue, the server will
check every value until one fits and then allow the user. Otherwise, if
none of the value fits, then it will be a failure.
- you wont' be able to know which value is the right one, if you don't
know the original password. The only way would be to get teh 2 values,
get rid of one, inject the other in the server, and see if the user can
still login. If so, you are golden (and lucky). Otherwise, do it again :
delete the value, and inject the second one. This time, that should be ok.
- all in all, using a LdapModify operation to modify a password is just
atrocious. What should be done is to use the PasswordModify extended
operation that deals with all the complexity of changing a password
(including generating a password , if the server supports such a feature
- ApacheDS does not )-.
- If you are using ApacheDS or OpenLDAP, then there is a feature that
makes it so the server automatically hash the provided password for you,
so that you don't need to do it on the client side. This is useful as it
simplifies the user's password modification operation. This option has
to be activated, it's optionnal.
Hope it helps !
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
