I use openldap slapd 2.4.40 and postgresql9.2.23 as back-sql on CentoS 6.9
user and password for LDAP uid and userPassword are stored in postgresql by DES encoding.
Original clear text is JacicFk5
DES encoded/encrypted text is IfjFxsltK/MPE which stored in DB.
I can see the user information as the result of ldapseach by stored password.
ldapsearch -x -b "dc=example,dc=com" -D uid="HDZZZ0R0N,ou=people,dc=example,dc=com" -w IfjFxsltK/MPE '(&(uid= HDZZZ0R0N)(objectClass=*))'
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (&(uid= HDZZZ0R0N)(objectClass=*))
# requesting: ALL
#
# user01, people, example.com
dn: uid= HDZZZ0R0N,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
cn:: W+aOkl3lia/nlKPnianjg6Hjg7Pjg4bjg4rjg7PjgrnvvIgzNu+8iVNURw==
sn:: W+aOkl3lia/nlKPnianjg6Hjg7Pjg4bjg4rjg7PjgrnvvIgzNu+8iVNURw==
uid: HDZZZ0R0N
userPassword:: SWZqRnhzbHRLL01QRQ==
However, I can’t do ldapsearch by original clear text password
ldapsearch -x -b "dc=example,dc=com" -D uid="HDZZZ0R0N,ou=people,dc=example,dc=com" -w JacicFk5 '(&(uid= HDZZZ0R0N)(objectClass=*))'
ldap_bind: Invalid credentials (49)
Does anyone tell me how to make ldapsearch to resolve given password by clear text and stored password by DES encoding?
I’d like to know is how to make plaintext JacicFk5 from ldapseach command-line to hash IfjFxsltK/MPE and make it match against IfjFxsltK/MPE in DB as userPassowrd.
Is there suitable directive for ldap.conf or slapd.conf?
I've checked followings .
echo "SWZqRnhzbHRLL01QRQ==" |perl -MMIME::Base64 -ne 'print decode_base64($_) . "\n"'
it returns IfjFxsltK/MPE
perl -e 'print("userPassword: {crypt}".crypt("JacicFk5","If")."\n");'
it returns userPassword: {crypt}IfjFxsltK/MPE
One more info. my ldapseach can solve password text for users stored in AD server via ownclod.
What you want/need to have is a LDAP simple authentication. Please first note that it is unsecure to store passwords in plaintext!
First you need to test what auth mechanisms you have supported/allowed.
An example:
tukanos@localhost:~# ldapsearch -H ldap:// -x -LLL -s base -b "" supportedSASLMechanisms
dn:
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: NTLM
Now you want to change the onfiguration via ldapmodify. You prepare a LDIF file (LDIF stands for LDAP Data Interchangable Format) with configuration.
Prepare your configuration file you can name it olcSaslSecProps.ldif:
dn: cn=config
replace: olcSaslSecProps
olcSaslSecProps: noanonymous,minssf=0,passcred
What the properties mean:
noanonymous ... no anonymous connection allowed
minssf=0 ... that defines your effective encryption strength (0 ... no encryption)
passcred ... that would allow password to work as for credentials
To quote the OpenLDAP security considerations
Security Strength Factors
The server uses Security Strength Factors (SSF) to indicate the relative strength of protection. A SSF of zero (0) indicates no protections are in place. A SSF of one (1) indicates integrity protection are in place. A SSF greater than one (>1) roughly correlates to the effective encryption key length. For example, DES is 56, 3DES is 112, and AES 128, 192, or 256.
A number of administrative controls rely on SSFs associated with TLS and SASL protection in place on an LDAP session.
security controls disallow operations when appropriate protections are not in place. For example:
security ssf=1 update_ssf=112requires integrity protection for all operations and encryption protection, 3DES equivalent, for update operations (e.g. add, delete, modify, etc.). See slapd.conf(5) for details.
Now to apply the LDIF file:
ldapmodify -Y EXTERNAL -H ldapi:// -f ./olcSaslSecProps.ldif
Now to restart the slapd daemon:
systemctl restart slapd
If you check now your configuration you should get LOGIN and PLAIN:
ldapsearch -H ldap:// -x -LLL -s base -b "" supportedSASLMechanisms
dn:
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: LOGIN
Now your search should work with plain test password:
ldapsearch -x -b "dc=example,dc=com" -D uid="HDZZZ0R0N,ou=people,dc=example,dc=com" -w JacicFk5 '(&(uid= HDZZZ0R0N)(objectClass=*))'