By default; OpenLDAP does not hash the password by itself. If LDAP client sends a plain text value for userPassword in normal add/modify LDAP operation, OpenLDAP stores the userPassword as base64 encoded plain text value. Therefore; this value can be easily base64 decoded and can be retrieved the plain text password. So, LDAP client must hash the password and send it in add/modify operations.
However; OpenLDAP has an overlay (module) which supports for password policy management. This overlay can be used to modify the default behavior of the OpenLDAP. It means that; when LDAP client sends a plain text password, OpenLDAP can itself hash (SSHA) the password and store it.
Let see how we can configure this overlay to achieve hash password in OpenLDAP.
Step 1. Install ppolicy overlay module. This can be easily done, when you are running the configuration of the OpenLDAP. Please check my previous post, You can configure OpenLDAP with “–enable-ppolicy “ option as following.
> ./configure --enable-ppolicy
If not, later you can install the ppolicy overlay module.
Step 2. Configure slapd.conf file to enable ppolicy overlay (In ubuntu file can be found in /usr/local/etc/openldap/slapd.conf)
Following entries have added in to the slapd.conf
#Include schema include /usr/local/etc/openldap/schema/ppolicy.schema # Load dynamic backend modules: moduleload ppolicy.la # After database definitions, You can add followings. overlay ppolicy ppolicy_hash_cleartext
Here “ppolicy_hash_cleartext” enables the password hashing in ppolicy overlay.
Step 3. Restart the server
You can kill the server and start again.
Step 4. Testing.
Lets create new user entry. Following is the same LDIF
dn: cn=john,ou=Users,dc=soasecurity,dc=org objectClass: person sn: doe cn: john userPassword: johnldap
using ldapadd command
>ldapadd -x -D "cn=asela,dc=soasecurity,dc=org" -W -f user.ldif
if you retrieve the LDAP entry, it would be shown as following
# john, Users, soasecurity.org dn: cn=john,ou=Users,dc=soasecurity,dc=org objectClass: person sn: doe cn: john userPassword:: e1NTSEF9UEVKclF1THh6RU5XYnB0NUc3bTNsZmhoN0FtMkcvYmI=
If you base64 decoded the userPassword value, you will see the SSHA password.
Thanks for reading..!!!