Join Log in
Score:0
YoavKlein avatar Server

How does userPassword attribute work in LDAP?

co flag
YoavKlein

I'm just learning about LDAP, and there's something I don't quite understand.

When we create users in a directory, we define their password using the userPassword. When we use for example the {SSHA} scheme, as far as I understand, it works like this: We take the cleartext password, add to it some random salt, and hash it all together.

EDIT: All this is outside of LDAP!

Then, we take this hashed password+salt, and store this value in the userPassword attribute.

Now, say I have some application that needs to authenticate a user using this directory. The application prompts the user to enter Username and Password. Now, the application queries the directory to search for the relevant user entry.

Then, the application needs to compare the password that the user entered with the userPassword attribute. But this is what I don't understand - how does the application know the random salt that was generated when the user was first registered to the directory?

376
1 + 6
cn flag
Greg Askew
Looks like this has already been answered here: https://stackoverflow.com/questions/17733040/how-can-i-retrieve-a-salt-from-ldap https://stackoverflow.com/a/17847163/175990
0
Reply
YoavKlein avatar
co flag
YoavKlein
Thanks. But how do I retrieve the salt? The userPassword field is write-only, I can't retrieve it.
0
Reply
cn flag
Greg Askew
Isn't that the point? To "protect" the password? This is a forum for managing technology systems in a business environment. No-one needs to access the password attribute directly, due to the system manages the access for them.
0
Reply
YoavKlein avatar
co flag
YoavKlein
The userPassword attribute contains: `{SSHA}base64(digest+salt)`. In order to authenticate a user - i.e. compare hashes - the authenticating application needs to obtain the salt somehow, doesn't it? If not, how does it compare the hashes?
0
Reply
cn flag
Greg Askew
The "application" has full access. Your "application" does not have full access. This is a forum for managing technology systems in a business environment. Perhaps how to access an LDAP attribute from your "application" would be more appropriate for Stack Overflow.
0
Reply
YoavKlein avatar
co flag
YoavKlein
Let's say I want to simulate this using ldap commands (ldapsearch, ldapcompare). I'm the administrator of the directory. I have the password in clear text. How do I do it?
0
Reply
Score:2
user1686 avatar Server
fr flag
user1686

Then, the application needs to compare the password that the user entered with the userPassword attribute. But this is what I don't understand - how does the application know the random salt that was generated when the user was first registered to the directory?

The salt is always stored right next to the hash. Depending on format, it might be visually separated (e.g. /etc/shadow "crypt" uses $ to separate the salt from the hash) or it might be combined (e.g. LDAP {SSHA} will have X bytes of salt + Y bytes of hash combined, inside of the Base64 encoding).

The userPassword field is write-only, I can't retrieve it

This is because usually it's not the application that hashes and compares the password, but the LDAP server itself that does so, and the LDAP 'Compare' operation is not used for this purpose.

Instead, the application would use the LDAP 'Bind' operation and literally attempt to "log in" as the user to the LDAP server. That way, the application does not need to have 'read' access to the salt/hash values and doesn't even need to actually support the hash algorithm that the LDAP server uses.

(In fact, the LDAP server might not even store hashes at all – e.g. OpenLDAP may use {SASL} to offload password verification to a completely separate system such as Kerberos. All of this is completely invisible to programs that use LDAP 'Bind' to verify the password.)

To emulate this through CLI tools, you would:

  1. Use ldapsearch with the webapp's dedicated credentials to search the directory for the user's DN (as the user provides only the username).

  2. Use ldapsearch -D <user_dn> -w <user_passwd> to authenticate, ignoring the search result (as there is no CLI tool that only binds).

    • Most programs do not use the CLI; they use the LDAP client library directly, so they can call ldap_simple_bind() independently and immediately unbind after knowing the result.

    • However, some webapps do make an actual LDAP search at this step, reading the user's own DN entry with their own privileges – e.g. to retrieve certain fields that the webapp's own account isn't allowed to read.

    • If you don't care about the result, looking up the rootDSE -b "" -s base is as close to a "no-op" search as it gets. You could also use ldapwhoami instead of ldapsearch (but not all LDAP servers support the 'WhoAmI' exop, e.g. AD doesn't).

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.