It makes sense.Thanks.
I'll try your method next week and will report its result. in message "Re: How to make ldap evaluate clear text password vs DES stored password", Olivier <[email protected]> wrote: > [email protected] writes: > > > Hi.thanks for your advice. > > > > My cas is a bit complicated. > > > > DES hashed text stored in my RDB is actually cleartext for the RDB itself. > > > > slapd/ldapsearch show it as cleare text with base64 . > > If your RDB is storing a DES password compatible for LDAP, it must store > a character sting of the form "{CRYPT}F6ojc88jnbdc". > > The {CRYPT} part is telling LDAP that the string is a DES password. If > there is no {CRYPT} part, LDAP assumes that the string is a cleartext > password (this is confirmed by what you say below, you can connect if > you type the base64/DES text). > > So you should: > > - take whatever password text that is currently stored in RDB > - remove base64 > - append {CRYPT} at the begining > - store that back in RDB > > The RDB will now be storing a DES password that LDAP can use. > > I suggest that you test with one account before changing all accounts. > > Does any system use the password in RDB or only LDAP? If only LDAP, you > can modify all passwords. If other system use the password, you must > have one password in LDAP format ({CRYPT} no base64) and one password > for the other applications (no {CRYPT} and base64). Or you must find a > way for the RDB to present a different password to LDAP and to the other > application (for example, depending on the IP address of the client > asking for the password). > > Best regards, > > Olivier > > > > > When i give original password,certification process returns invalid > > credential, > > but when i give DES hashed text which is same value of the > > RRD,certification succeed as you wrote. > > > > > > However,I'd like slapd/ldasearch to change input password to same value in > > the RDB instead of typing by myslf because,I can read the RDB directory but > > others can't. > > > > > > > > I've confirmed my crypt can hash the text into same value of text in theRDB. > > > > Any idea? > > > > in message "Re: How to make ldap evaluate clear text password vs DES stored > > password", > > Olivier <[email protected]> wrote: > >> Hi, > >> > >> >LDAP’s userPassowrd stored in the RDB has been already DES hashed by > >> >original app. On the other hand, input password from ldapseach command > >> >line is CREARTEXT. > >> > > >> >I’d like to change certification process of LDAP source file to make input > >> >password into DES hashed by using 2 characters of userPassword as its > >> >SALT. > >> > >> That is how LDAP works if it knows that your passwrd is DES. > >> > >> But the encoding for DES by LDAP may be slightly different from the > >> encoding for DES by your original app. > >> > >> For a DES encrypted password, LDAP expects to see: > >> userpassword: {CRYPT}6FgwLHWxQzlgA > >> where 6F is the salt (LDAP knows that the 6F is the salt) > >> > >> So if your RDB only contains 6FgwLHWxQzlgA, you may have to modify that. > >> > >> Or I did not understood your question. > >> > >> Best regards, > >> > >> Olivier > > > > > > > > --
