解密 OpenLDAP 密码
我的 OpenLDAP 中有一组用户,我希望从他们那里获取一些信息,例如“cn”和“userPassword”。
然而,当我检索这些详细信息时,密码不是纯文本形式,即使它在我的 LDAP 服务器中设置为此。
有什么想法如何解决这个问题吗?
I have a set of users in my OpenLDAP and i wish to get some information from them, for example "cn" and "userPassword".
However when i retrieve these details the password isnt in plain text even though it is set to this in my LDAP server.
Any ideas how to solve this?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
userPassword 通常以散列形式存储
示例:
userPassword属性允许有多个值,并且每个值可以以不同的形式存储。在身份验证过程中,slapd 将迭代这些值,直到找到与所提供的密码匹配的值,或者直到用完要检查的值。存储方案存储为值的前缀。您可以拥有:
CRYPT
此方案使用操作系统的 crypt(3) 哈希函数。它通常会生成传统的 Unix 风格的 13 字符哈希值,但在具有 glibc2 的系统上,它还可以生成更安全的 34 字节 MD5 哈希值
MD5
该方案仅采用密码的 MD5 哈希值并将其存储采用 Base64 编码形式
SMD5
这通过添加盐(随机数据,这意味着给定的明文密码有多种可能的表示形式)改进了基本 MD5 方案。例如,这两个值代表相同的密码
SSHA
这是 SHA 方案的加盐版本。它被认为是 slapd 支持的最安全的密码存储方案
结论
大多数时候你不需要恢复密码,你只需要根据用户给出的密码计算哈希值登录表单并将其与
userPassword进行比较。The userPassword is generaly store in hashed form
Example :
The
userPasswordattribute is allowed to have more than one value, and it is possible for each value to be stored in a different form. During authentication, slapd will iterate through the values until it finds one that matches the offered password or until it runs out of values to inspect. The storage scheme is stored as a prefix on the valueYou can have :
CRYPT
This scheme uses the operating system's crypt(3) hash function. It normally produces the traditional Unix-style 13 character hash, but on systems with glibc2 it can also generate the more secure 34-byte MD5 hash
MD5
This scheme simply takes the MD5 hash of the password and stores it in base64 encoded form
SMD5
This improves on the basic MD5 scheme by adding salt (random data which means that there are many possible representations of a given plaintext password). For example, both of these values represent the same password
SSHA
This is the salted version of the SHA scheme. It is believed to be the most secure password storage scheme supported by slapd
Conclusion
Most of the time you don't have to recover password, You just have to compute the hash from the password given by the user in the login form and compare it with the one of
userPassword.您的配置有一个密码策略覆盖,配置为散列纯文本密码。
olcPPolicyHashCleartext:TRUE或 ppolicy_hash_cleartext。删除它们,它应该开始以纯文本形式存储密码。也就是说,存储纯文本密码并不是一个好主意。至少对其进行加密,这样不经意的观察者就无法轻易逆转它。不,ROT13 或 base64 编码不算在内。
Your configuration has a password policy overlay that is configured to hash the plain text password.
olcPPolicyHashCleartext: TRUEor ppolicy_hash_cleartext. Remove them and it should start storing the passwords in plain text.That said, it isn't a good idea to store plain text passwords. At least encrypt it so that it can't be easily reversed by casual observers. And no, ROT13 or base64 encoding don't count.