peter_lambrecht Absent Member.
Absent Member.
541 views

MD5 Hashed simple password not working with bind


Following this cool solution 'Cool Solutions: Assigning a Universal
Password Policy with a Simple-Password User'
(http://www.novell.com/coolsolutions/tip/18844.html) with a eDir 8.8.6
FCS install on RHEL.

I can successfully load a crypt encrypted password without an issue.

dn: cn=peter,o=internet
changetype: add
uid: peter
sn: peter
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: Person
objectClass: ndsLoginProperties
objectClass: Top
cn: peter
userPassword: {crypt}W1T/Df5UjNIaQ

Works fine with the password as "password".

However

dn: cn=peter,o=internet
changetype: add
uid: peter
sn: peter
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: Person
objectClass: ndsLoginProperties
objectClass: Top
cn: peter
userPassword: {MD5}fc5e038d38a57032085441e7fe7010b0

or with MD5 in lower case.

Fails to bind.

Any ideas what I am doing wrong?


--
peter_lambrechtsen
------------------------------------------------------------------------
peter_lambrechtsen's Profile: http://forums.novell.com/member.php?userid=56168
View this thread: http://forums.novell.com/showthread.php?t=448166

Labels (1)
0 Likes
5 Replies
Anonymous_User Absent Member.
Absent Member.

Re: MD5 Hashed simple password not working with bind

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Using your examples in my tree I cannot bind either way, but I can bind
by passing in the exact string you sent in to userPassword (as if it
were the real password). Is your user in a UP-enabled location either
by direct or indirect password policy assignment? If so you cannot set
the Simple password. It seems strange that one would work for you while
another would not since both use the Simple Password and since both
"fail" for me in the sense that neither lets me login with the string
'password' as the password.

Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJOwR4eAAoJEF+XTK08PnB5gvIP/0Bvx35pi9zcjPCmQ5SmtTsi
KWZfxG+q0TAydY8dVPVlbW/aihnfc3u7l/23gjRnMrzwgzF02aAar8LPScF+g/3k
vMh9S5SdrKJBSYN9K5KXIXYc8e0dV2iEsGjptgKVJuBnDx2FxsTt/cYcnNq9VJuF
0cOTVqL5se1/nYfDS0AVV+95+XVK5tzQWOnDv5RYg+hdIOlG4alQnxuDM4+/3Vlj
SDZ7rjxNtKgsQ0iHZ/1x4m8UqkBP8UHqBpmKivzfO7rw4CE3/ag130ywrmawEnuO
ycyK2VYZAYZshr3PKpfRfHuxSdYmixZyFG47g75EzUPO9tmaxg/ps0Ad0pYX57Aj
goMuaUcgc5Ym5kSf4lQcK178PmVWLvmcJOGqj1U76xRifEyG6jLk3xX5W7zB7Qxh
xh8VYyjvTJOst1oNKA8eDR0nrjt7UWpGXV59GWEP1wsEx5PClD2qG4yxfVpFFIM7
uVO4A9oMSqNQBd5wf+BL/wm2oUpSMM9vWj8AuVokMFVPEEeeqy/Ftcu7dz087Qix
wsjVMrOqVv1OjwiopNm9DjjKZak9rvuLxTGdQctx08SXLgPUm4tgDM+xEpW1pUON
s8diFcw/OurOcqqKH79KxGAI2hY8vkqB8s7JeD4lAg4Fh5nwbTAbbuXe7lNP7CyH
07teLxZfpDOknU+R0mGG
=KVna
-----END PGP SIGNATURE-----
0 Likes
peter_lambrecht Absent Member.
Absent Member.

Re: MD5 Hashed simple password not working with bind


ab;2153553 Wrote:
> Using your examples in my tree I cannot bind either way, but I can bind
> by passing in the exact string you sent in to userPassword (as if it
> were the real password). Is your user in a UP-enabled location either
> by direct or indirect password policy assignment? If so you cannot
> set
> the Simple password. It seems strange that one would work for you
> while
> another would not since both use the Simple Password and since both
> "fail" for me in the sense that neither lets me login with the string
> 'password' as the password.
>
> Good luck.


I just re-tested it, and it works fine.

When using ICE, you need to add "-l" (lower case L) on the LDAP
destination side to get the LDIF to import correctly with a crypted or
MD5'ed password in theory.

ice -S LDIF -f peter.ldif -D LDAP -s 192.168.1.10 -p 389 -d
cn=admin,o=admin -w adminpwd *-l*

As per 'Ldapwiki: ICE' (http://ldapwiki.willeke.com/wiki/ICE)

I've tried via SSL and cleartext and it makes no difference when
importing the MD5 Password, but does work fine for me (as long as I
specify the -l) for the crypt password, but not the MD5.

I don't have UP turned on, as per the first TID. I can then bind with
the password without UP turned on, then I apply the UP policy, and after
my next bind the UP password gets set to the correct password.

After Universal Password Policy has been applied to the user with a
{crypt} password, but the user has not logged in doing a LDAP bind.

java -jar DumpPasswordInformation.jar -h 192.168.1.10:636 -D
cn=admin,o=admin -w adminpwd -b cn=peter,o=internet
# dn: cn=peter,o=internet
#
cn=peter,o=internet-com.novell.security.nmas.mgmt.NMASPwdExceptionNMAS
Return Code (-16049) - NMAS_E_ENTRY_ATTRIBUTE_NOT_FOUND
# Entry has no Universal Password value
Password: null
Password Policy for Entry: cn=Default,cn=Password
Policies,cn=Security Error:
com.novell.security.nmas.mgmt.NMASPwdExceptionNMAS Return Code (-16049)
===> Password Status <===
==> Universal Password <==
Is UPwd Enabled: true
Is the UPwd history full: false
Does UPwd match NDSPwd: false
Does UPwd match SimplePwd: false
Is UPwd older than NDSPwd: false
==> Simple Password <==
Is Simple Password Set: true
Is Simple Password Clear Text: true
Does Simple Password match NDSPwd: false

java -jar DumpPasswordInformation.jar -h 192.168.1.10:636 -D
cn=admin,o=admin -w adminpwd -b cn=peter,o=internet
# dn: cn=peter,o=internet
Password: password
Password Policy for Entry: cn=Default,cn=Password
Policies,cn=Security
Does Current password meet password policy assigned to user? true
===> Password Status <===
==> Universal Password <==
Is UPwd Enabled: true
Is the UPwd history full: false
Does UPwd match NDSPwd: false
Does UPwd match SimplePwd: true
Is UPwd older than NDSPwd: false
==> Simple Password <==
Is Simple Password Set: true
Is Simple Password Clear Text: true
Does Simple Password match NDSPwd: false

So crypt passwords work fine, but MD5 ones don't.

Time to log a call I think.


--
peter_lambrechtsen
------------------------------------------------------------------------
peter_lambrechtsen's Profile: http://forums.novell.com/member.php?userid=56168
View this thread: http://forums.novell.com/showthread.php?t=448166

0 Likes
peter_lambrecht Absent Member.
Absent Member.

Re: MD5 Hashed simple password not working with bind


Also you need to make sure that Simple Password NMAS Method is imported
into edir (cd ~installmedia/nmas/NmasMethods/Novell/SimplePassword &&
nmasinst -addmethod admin.admin DEVTREE config.txt -h 192.168.1.10 -w
adminpwd) then doing a {crypt} based password login works fine, but not
a MD5 based one.


--
peter_lambrechtsen
------------------------------------------------------------------------
peter_lambrechtsen's Profile: http://forums.novell.com/member.php?userid=56168
View this thread: http://forums.novell.com/showthread.php?t=448166

0 Likes
peter_lambrecht Absent Member.
Absent Member.

Re: MD5 Hashed simple password not working with bind


This has been duplicated by Engineering and is logged as bug #731225 so
we will see if it gets any traction.


--
peter_lambrechtsen
------------------------------------------------------------------------
peter_lambrechtsen's Profile: http://forums.novell.com/member.php?userid=56168
View this thread: http://forums.novell.com/showthread.php?t=448166

0 Likes
jwilleke Trusted Contributor.
Trusted Contributor.

Re: MD5 Hashed simple password not working with bind

We have some examples that work at:
http://ldapwiki.willeke.com/wiki/SimplePassword

--

Thank You for your help!

-jim
Jim Willeke

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.