Encoding LDAP passwords

Two utilities for this featured below: OpenLDAP’s slappasswd and OpenDJ’s encode-password. A perl script that does the same thing closes out the article. You decide on your favorite.

For various reasons we sometimes need to generate encoded passwords, technically hashes of strings1, in managing LDAP directory environments. Whether in setting up an initial OpenLDAP configuration or in creating secure LDIF files for provisioning users on OpenDJ, the time comes when being able to generate a password hash in a format the directory understands is necessary to the task at hand.

Here’s the simple syntax using the tool provided for each of these common directory servers. The password string submitted in each case was “newpass”. The first set of examples will hash it using the SSHA hashing scheme, the second using the less secure2 SHA scheme.

Using the SSHA algorithm:

[me@mine ~]$ /usr/sbin/slappasswd -h {SSHA}
New password:
Re-enter new password:
{SSHA}Z2y4i/YSnD2Fs1RhH6BTC49b3RZZsoUq
[opendj@mine ~]$ encode-password -s SSHA -i
Please enter the password :
Please renter the password:
Encoded Password:  "{SSHA}IAAVjHQvYK7gNyzw07b4Ij0+OHp10is0EtmGGQ=="

Using the SHA algorithm:

[me@mine ~]$ /usr/sbin/slappasswd -h {SHA}
New password:
Re-enter new password:
{SHA}bFWAPW8dehd6DbPrSzQ7DVD5wRE=
[opendj@mine ~]$ encode-password -s SHA -i
Please enter the password :
Please renter the password:
Encoded Password:  "{SHA}bFWAPW8dehd6DbPrSzQ7DVD5wRE="

Finally, here’s a really simple perl script I wrote years ago to do the same thing, except that it also shows the UUEncoded version of the hash like OpenLDAP’s ldapsearch does by default:

#!/usr/bin/perl
# digestsha.pl Encode clear text into SHA hash and formatted
# (UUEncoded) hash like ldapsearch outputs.

use strict;
use Digest::SHA1 qw(sha1_base64);
use MIME::Base64;

my $data = "newpass";

print "Original text: ", $data, "n";

my $hashed = sha1_base64($data);
print "Hashed text: ", $hashed, "n";

my $shatext = '{SHA}' . $hashed . '=';
print "Formatted hash: ", $shatext, "n";

my $encoded = encode_base64($shatext);
print "Base64 re-encoded: ", $encoded, "n";

my $decoded = decode_base64($encoded);
print "Decoded: ", $decoded, "n";

__END__;

Notes:

1“Encoding” is a term I don’t like to use respecting LDAP passwords because it suggests the kind of algorithm that lends itself to decoding, a design that modern hash algorithms were invented to replace. Technically storage schemes like SHA and SSHA are one-way hashes that cannot be (easily) decoded. In fact most successful attacks against systems employing these schemes rely more on social engineering, and patient observation, than mathematics.

2The second set of examples demonstrates the huge advantage that using a salted SHA hash has over a plain old SHA hash, showing that each tool produces an identical value that could be much more easily cracked using a custom dictionary attack. A different SSHA hash will be produced with each run because the tool is going to supply a different salt every time.