How do you turn on password hashing (SSHA) in openLDAP

Question

For the life of me, I cannot seem to find this anywhere and if anyone can even just give me a link I would be very appreciative.

We are trying to turn on SSHA hashing in openLDAP. By default it stores passwords in plaintext, which I think is criminal but hey I am an AD guy so what do I know. But you would think that they would make it easy to find the information needed to turn on hashing if you so choose. And wouldn't you choose?

Answer 1

You can use 'password-hash ' to change the hashing algorithm, the default one is SSHA (not clear text).

Note that, slapd uses the above only if the password sent by clients are in plain text, if your client is sending a hashed password, it'll be stored as it is.

for eg: with pam_ldap, use pam_password exop (or clear)

how is password strength tests run at the server if the password is coming in hashed and I know that is a feature openLDAP touts?

If you sent hashed passwords, slapd cant perform strength tests, so the clients must sent passwords in clear text(ppolicy has option to accept/reject hashed password).

Note:

1. make sure your clients use ssl/tls (so the passwds are not sent in clear text)
2. userpassword attribute contains special characters ({}) so you have to do a base64 -d to identify the hashing algorithm used.

eg: normally the attributes are returned in the following format (:: indicate the result is base64 encoded)

userPassword:: e1NTSEF9QjU0VXNmQWhJN1dQZ3FvbDVSQ1l5RHUzTlVqa1luVVhYV2ljbmc9PQ=
 =

$ echo e1NTSEF9QjU0VXNmQWhJN1dQZ3FvbDVSQ1l5RHUzTlVqa1luVVhYV2ljbmc9PQ==|openssl base64 -d
{SSHA}B54UsfAhI7WPgqol5RCYyDu3NUjkYnUXXWicng==

Answer 2

When you tried to store userPassword attribute in add/modify LDAP operations, userPassword value is stored as plain text. But you can override this behavior using ppolicy_hash_cleartext option in ppolicy overlay module in OpenLDAP. Once you enable it, when client sends a plain text password, it is stored as SSHA by default. You can find more details on enabling hash password in OpenLADP from here

Answer 3

OpenLDAP supports a variety of storage schemes for the administrator to choose from. The tool you use to create accounts has to be configured to do the hashing. The server will store passwords in the format the client requests. If hashing is done properly, ldapsearch will show the hashed passwords like this:

userPassword: {SSHA}d0Q0626PSH9VUld7yWpR0k6BlpQmtczb

See http://www.openldap.org/doc/admin24/security.html for details.

When it comes to administrative tools I would personally recommend http://phpldapadmin.sourceforge.net

Answer 4

The LDAP spec requires plaintext passwords for interoperability. The link given above on security will give you the option for default hash types that the server can enforce, but do consider the implications.

Answer 5

This is an old question, but still relevant. It's no longer recommended to use SSHA (ie. SHA-1) due to its relatively easy brute-forcing.

A more secure hashing algorithm is SHA-512. A stronger hash can be generated on the client side with OpenSSL 1.1 like this:

_generate_password_hash() {
  local plaintext; plaintext="$1"

  command printf "{CRYPT}%s" "$(openssl passwd -6 -stdin <<< "${plaintext}")"
}

This will output a string such as:

{CRYPT}$6$SGIWzAbjh.3WoQQJ$vEFlcRBQpd2fJ8dxcbojr83pjQcXcJ.InRMzNRryTQ//fMYJoCRFWAPn22EvJyDikG.MNuUqRYqQtI97Clj2F0

Notice the {CRYPT} instead of {SSHA} in the beginning.

You may apply the password for example with ldapmodify:

ldapmodify -h "${LDAP_HOST}" -D cn=user,dc=example,dc=com -W <<EOF
dn: cn=user,dc=example,dc=com
changetype: modify
replace: userPassword
userPassword: $(_generate_password_hash NEW_PASSWORD_HERE)
EOF

Notice that LibreSSL has a different set of hashing algorithms available. Check your actual OpenSSL version with openssl version if openssl passwd --help doesn't show the -6 option.