Hashing passwords using SSHA (iDS 5.1)

Hi,
We would like to take a password in the clear and hash it with the SSHA algorithm so that it can then be stored in the Directory. I know that the Directory will perform the hashing but we want to hash the p/w and provide it already hashed ({SSHAizamiseW6xky})before it gets to the Directory. Is there any information/documentation on how iPlanet implements SSHA so we can achieve this?
Cheers
Simon

There is a command line utility - bin/slapd/server/pwdhash - I believe this command is documented in the Command reference or the Admin Guide.

Similar Messages

  • Hashing passwords using SSHA (iDS 5.1) repost

    Hi,
    The initial response to the question below was to use the pwdhash utility. We would prefer to write our own code rather than use pwdhash. Is there any information any where on how iPlanet implements SSHA? I assuming some body else has done this before.
    Cheers
    Simon
    Question:
    We would like to take a password in the clear and hash it with the SSHA algorithm so that it can then be stored in the Directory. I know that the Directory will perform the hashing but we want to hash the p/w and provide it already hashed ({SSHAizamiseW6xky})before it gets to the Directory. Is there any information/documentation on how iPlanet implements SSHA so we can achieve this?

    Hi Simon,
    If you write preoperation plugin you can have partial solution in this context. Get userPassword (clear text) value from the entry/mod structure of pblock in preop ADD/preop MODIFY functions. Use "slapi_encode(char* value, char* algorithm)" or your own hashing function to hash password value and reset userPassword attribute with this hashed password value.
    regards,
    sanjay

  • Migrate users from qmail to sun messaging  (import MD5 hashed passwords)

    Hi,
    we are planning to migrate about 2000 users from our current mail system (qmail + openldap) to Sun Messaging 6.2.
    We have encountered a problem with user password migration. In our current ldap user passwords are MD5 encrypted, but it appears as Directory 5.2 does not support MD5 encryption method.
    This is what I have found :
    http://docs.sun.com/source/817-7616/config.html#wp26092
    The following encryption types are supported by Directory Server:
    * SSHA (Salted Secure Hash Algorithm) is the recommended method as it is the most secure.
    * SHA (Secure Hash Algorithm). This is the method supported by 4.x Directory Servers.
    * CRYPT is the UNIX crypt algorithm. It is provided for compatibility with UNIX passwords.
    * If this attribute is set to CLEAR, passwords are not encrypted and appear in plain text.
    We want to import MD5 hashed passwords so users can use their old password after we migrate to SUN, but as passwords are updated they will be SSHA hashed.
    We only have a problem with importing MD5 hashed passwords in ldap directory.
    Current password on openLDAP are created with the following PHP code:
    $info["userPassword"]= '{md5}' . base64_encode(pack('H*', md5($passwd)));
    I have tried to copy userpassword value from openldap to directory but the directory ignores {md5} and hashed the string again using SSHA.
    Example:
    cleartextpass: password
    md5_base64_hash={MD5}X03MO1qnZdYdgyfeuILPmQ==
    after ldap modify userpassword field loks like this:
    userpassword:{SSHA}a+dFsejrTGwQAgdU07kkgzWWOC16SiIW2UsPcQ==
    What is the correct procedure to import MD5 hashed passwords in Sun Directory?
    (NS-MTA-MD5 Password Storage Plug-In is enabled)

    Sun Directory 5.2 has a plugin NT-MTA-MD5 which should enable users to authenticate with MD5 hashed passwords.
    I have checked in cn=config and NS-MTA-MD5 plugin is enabled.
    I have tried with {NS-MTA-MD5} prefix and still directory does not allow users to authenticate.
    Example:
    cleartextpass: foo
    md5_base64_hash={NS-MTA-MD5}rL0Y20zC+Fzt72VPzMSk2A==
    after ldap modify userpassword field loks like this( NS-MTA-MD5 is accepted by directory):
    userpassword:{NS-MTA-MD5}rL0Y20zC+Fzt72VPzMSk2A==
    but
    ldap bind fails with "invalid credentials" error
    We are using solaris 10 so I tried using the prefix {crypt} and it did not work. You said something about the right config in /etc/security/crypt.conf. Here is the content of my crypt.conf file:
    1 crypt_bsdmd5.so.1
    2a crypt_bsdbf.so.1
    md5 crypt_sunmd5.so.1
    This should be the right config "md5 crypt_sunmd5.so.1"
    Am I missing something here?
    Is there anything else I need to do to enable directory to use MD5 hashed passwords?
    Maybe NS-MTA-MD5 plugin is not enough?

  • Not able to connect after changing the password using ALTER VALUES clause

    Hi,
    Just now John explained about VALUES clause in below thread.
    Expired Status
    I created a new account called SURI and tried to use the user account HR's password using VALUES clause. I was able to alter the password but not able to connect SURI with hr password.
    Please see the version details below. And the SQL statements which I have tried.
    SQL*Plus: Release 10.2.0.1.0 - Production on Mon Aug 13 18:44:50 2012
    Copyright (c) 1982, 2005, Oracle.  All rights reserved.
    Enter user-name: sys as sysdba
    Enter password:
    Connected to:
    Oracle Database 10g Express Edition Release 10.2.0.1.0 - Production
    SQL> SELECT password
      2  FROM dba_users
      3  WHERE username = 'HR';
    PASSWORD
    4C6D73C3E8B0F0DA
    SQL> ALTER USER SURI IDENTIFIED BY VALUES '4C6D73C3E8B0F0DA';
    User altered.
    SQL> SELECT password
      2  FROM dba_users
      3  WHERE username='SURI';
    PASSWORD
    4C6D73C3E8B0F0DA
    SQL> conn suri/hr     -- HR account's password is hr only
    ERROR:
    ORA-01017: invalid username/password; logon denied
    Warning: You are no longer connected to ORACLE.
    SQL>Thanks,
    Suri

    Suri wrote:
    Hi,
    Just now John explained about VALUES clause in below thread.
    Expired Status
    I created a new account called SURI and tried to use the user account HR's password using VALUES clause. I was able to alter the password but not able to connect SURI with hr password.
    Please see the version details below. And the SQL statements which I have tried.
    SQL*Plus: Release 10.2.0.1.0 - Production on Mon Aug 13 18:44:50 2012
    Copyright (c) 1982, 2005, Oracle.  All rights reserved.
    Enter user-name: sys as sysdba
    Enter password:
    Connected to:
    Oracle Database 10g Express Edition Release 10.2.0.1.0 - Production
    SQL> SELECT password
    2  FROM dba_users
    3  WHERE username = 'HR';
    PASSWORD
    4C6D73C3E8B0F0DA
    SQL> ALTER USER SURI IDENTIFIED BY VALUES '4C6D73C3E8B0F0DA';
    User altered.
    SQL> SELECT password
    2  FROM dba_users
    3  WHERE username='SURI';
    PASSWORD
    4C6D73C3E8B0F0DA
    SQL> conn suri/hr     -- HR account's password is hr only
    ERROR:
    ORA-01017: invalid username/password; logon denied
    Warning: You are no longer connected to ORACLE.
    SQL>Thanks,
    SuriYou can only do it for the same user, as the password is a hashed value that includes the username as part of the hashing (It's either the username or some internal object id or something). So using the hashed value against another user won't work.

  • Reseting the Hashed Password after enabling Windows File Sharing

    Disclaimer: you'll need a good bit of knowledge about OS X, UNIX, and encryption to understand what I'm talking about.
    All right, so normally OS X hashes user passwords using a salted SHA1 encryption. It uses shadowing so that you can't obtain the actual hash value using "% nidump passwd".
    BUT, if you enable Windows File Sharing, all that changes. OS X re-hashes your password using the much less secure LANMAN encryption. This allows Windows machines to access your files. (LANMAN is what Windows used to encrypt passwords up through Windows ME. Later versions of Windows use NTLM instead, which is stronger.) This is why, the first time you enable Windows File Sharing, OS X warns you that enabling the feature will require your password to be stored in a less secure manner; it's downgrading the hash from SHA1 to LANMAN.
    My question is: I'm done sharing files with idiot Windows users - how do I force OS X to go back to storing my password using SHA1?
    Thanks guys.
    -Bryan

    Thanks biovizier. You're absolutely right, deleting the extra text after ";shadowHash;" and then reseting the password for the user's account does seem to force OS X to rehash the password using SHA1.
    Just in case someone else has this question in the future, here's how to verify that your password is hashed in SHA1:
    Log in as Root and open the /private/var/db/shadow/hash folder. You'll see files with long, weird names. You'll also see an XML file (with the extension *.state) for each of the files with long, weird names. The XML file contains several tags that tell OS X information about the hashed password - things like when it last logged on, when it was created, how many times login failed, etc.
    We're interested in the other files - the ones that don't end in ".state"
    To verify that SHA1 is being used, open the long, weird files in textedit. You should see something like this:
    000000000000000000000000000000000000000000000000000000000000
    000000000000000000000000000000000000000000000000000000000000
    000000000059G31HJ75BR54210P07Y57BC57094D643H78K8765L98C6X000
    000000000000000000000000000000000000000000000000000000000000
    000000000000000000000000000000000000000000000000000000000000
    000000000000000000000000000000000000000000000000000000000000
    000000000000000000000000000000000000000000000000000000000000
    000000000000000000000000000000000000000000000000000000000000
    000000000000000000000000000000000000000000000000000000000000
    000000000000000000000000000000000000000000000000000000000000
    000000000000000000000000000000000000000000000000000000000000
    000000000000000000000000000000000000000000000000000000000000
    000000000000000000000000
    There should be a few more zeros; I've cut some out here to save space.
    What should NOT exist, is the following:
    57Y083D243109VGR45Z4B65812R8M087H65HJ8OK95T89L8JHL9000000000
    000000000000000000000000000000000000000000000000000000000000
    0000000059G31HJ75BR54210P07Y57BC57094D643H78K8765L98C6X00000
    000000000000000000000000000000000000000000000000000000000000
    000000000000000000000000000000000000000000000000000000000000
    000000000000000000000000000000000000000000000000000000000000
    000000000000000000000000000000000000000000000000000000000000
    000000000000000000000000000000000000000000000000000000000000
    000000000000000000000000000000000000000000000000000000000000
    000000000000000000000000000000000000000000000000000000000000
    000000000000000000000000000000000000000000000000000000000000
    00000000000000000000000000000
    The second Hashed value does not start with zeros. This hash value is not SHA1. It is the less secure encryption method required for compatability with Windows.
    If your hash file opens with zeros, you're using SHA1. Otherwise, follow Biovizier's procedure: Open NetInfo, select the user account whose password needs to be changed back to SHA1, look at the "authentication_authority" value, make sure the value is set to ;ShadowHash; and that no additional text follows that string, then reset the affected account's password. You can then log back in as root and re-check the hash files using textedit and you should find that the hash file opens with solid zeros instead of letters and numbers.
    Do NOT manually edit the hash files in textedit. One of those files is the hash for the Root password. If you change that hash file, your root password will no longer work (because when you type MYPASSWORD, OS X will hash that string and find that the hashed value no longer matches the stored hash value in /private/var/db/shadow/hash and OS X will therefore reject your password as incorrect) and you will quickly find yourself locked out of your computer for good.
    And finally, just in case you have the computing power of the NSA and are thinking about running the hashes I've listed here: A) They aren't the right length; I've left some characters out and B) I randomly substituted different alphanumerics in for the ones in my real hashes with no rhyme or reason.
    Which brings me to another point: NEVER post your hashes online. Yes, it takes a TON of computing power to break them, but still, they're hidden away for a reason!
    Anyway, I hope this helps other security buffs out there.
    I'm going to make a suggestion to Apple that OS 10.5 be changed so that when you unclick "windows file sharing" the OS immediately rehashes your password in SHA1 again.
    -Bryan

  • Insert a hashed password into OID

    I have the need to migrate all user accounts (stored in a custom table) into OID as we are moving over all login to Single Sign On
    Within our custom table, we store the Application username and password (hashed using DBMS_OBFUSCATION_TOOLKIT.MD5 function)
    What I would like to do is migrate these hashed passwords into OID so the users can keep the same passwords as are been currently used in the Application
    I have been playing around with the "No Encryption" option in OID as well as the "Userpassword reversable Encryption" attribute in the Password Policy for Realm area but with no real joy
    Any suggestions would be welcome otherwise I will have to issue new passwords to all users
    Regards
    Duncan

    If you only need plain SSO you probably can get this to work. LDAP allows storing hashed passwords, and MD5 if I am not mistaken should be supported on OID. EUS (Database authentication) wont probably work, but SSO should be fine.
    See note 261780.1, you need to prepend the hash type, and it needs to be base64 encoded. On a LDIF file it should look like this:
    userpassword: {MD5}IUg245aBlYtKEGVI1N1gfg==
    I never tested this, so good luck. But if you cannot get it to work you can do this the hard way, store the hash on some other attribute, like pager or facsimiletelephonenumber, and implement a ldapcompare and ldapbind plugin to replace the password validation with a custom package.
    Regards,
    Luis

  • OBIEE 11.1.1.7 external database authentication fails with hashed passwords.

    Hi .
    I use an external database ( Oracle database 11g  release 11.2.0.1.0) to authenticate user with OBIEE 11.1.1.7.
    I configured  SQL Authentication provider as my provider ,It works OK with :enabled  Plaintext Passwords Enabled option and password  is stored as plain text.
    But It fails when I disable this option and want to authenticate with hashed passwords.It gives Authenticate Denied error.
    In Provider Specific tab there are some parameters which might need changes:
    1-Password Algorithm:??
    2-Password Style:??
    3-SQL Get Users Password:SELECT U_PASSWORD FROM USERS WHERE U_NAME = ?
    How can I find correct values for options 1 and 2 form my external database?
    And Is it need to rewrite query in option 3 ?
    Please find attach files.

    Hi,
    I too faced same issue when I was installing OBIEE 11.1.1.7.0 on windows7 64bit.
    Please refer the below links.
    http://satyaobieesolutions.blogspot.in/2013/05/configuration-action-creating-domain.html
    http://satyaobieesolutions.blogspot.in/2013/05/obiee-111170-simplesoftware-installation.html
    http://satyaobieesolutions.blogspot.in/2012/06/obiee-11.html
    Hope this help's
    Thanks,
    Satya

  • Hashing Passwords

    Ok, Here's my code that I recieved from a friend...but....My
    DB isn't updating. Am I missing a step?
    <!--- Retrieve the existing users so we can loop them and
    update their password
    with its equivalent hashed value. --->
    <cfquery name="myQuery" datasource="myDatasource">
    SELECT Username, Password
    FROM MyUserTable
    </cfquery>
    <!--- Loop the query results. --->
    <cfloop query="myQuery">
    UPDATE MyUserTable
    SET Password = '#Hash(myQuery.Password)#'
    WHERE Username = '#myQuery.Username#'
    </cfloop>

    Not sure if it will make a difference, but since you are
    using query="myQuery" in your cfloop, you don't have to repeat
    myQuery in your variable names within the second cfquery.
    (Also, you can use cfoutput instead of cfloop. Not sure which one
    is more efficient.)
    <!--- Retrieve the existing users so we can loop them and
    update their password
    with its equivalent hashed value. --->
    <cfquery name="myQuery" datasource="myDatasource">
    SELECT Username, Password
    FROM MyUserTable
    </cfquery>
    <!--- Loop the query results. --->
    <cfoutput query="myQuery">
    UPDATE MyUserTable
    SET Password = '#Hash(Password)#'
    WHERE Username = '#Username#'
    </cfoutput>
    Phil

  • Hashed password import into LDAP

    hello,
    is it possible to import MD5 hashed password direct into LDAP instead of creating a new one?
    Any help would be appreciated.
    Ales Hrncarek
    [email protected]

    Hello
    I'm also interrested in the same topic.
    We are working on a project that require programatic registration of portal users.
    We found out that the best way to register a new portal user was going directly into ldap.
    The only problem i have is finding the right way to encrypt the passwords.
    I tried to set the password in clean text, but ofcourse it didn't work (i didn't actually think it would either ;) )
    How do you encrypt the password? Is there a java api i can use?
    Regards
    Per-Jarle Sfther

  • Getting NT or LM hashed password

    Hi all!
    I have the response from an NTLM challenge response, and I
    would like to autheticate the user againts an ActiveDirectory. Is there
    a possibility to get the user's NT or LM hashed password
    needed to generate an NTLM like response for comparing
    with the one received from the client?
    Tankx!

    I think you're going about this in the wrong way.
    Just try and connect to Active Directory using the username and password provided then try reading their user object's attributes.
    If the credentials are wrong you'll get an exception.

  • Convertion of hash password

    Hi,
    SELECT username,password FROM dba_users
                     WHERE username='SCOTT';
    USERNAME        PASSWORD
    SCOTT              F894844C34402B67Can we convert above hash password value to normal text......
    Any help please......
    Thanks and Regards
    Reddy.

    Not using traditional methods. A Hash is a one-way function, you can never get the reverse of it.
    I will not link to any tools to circumvent this. You are left to your own creativity/ingenuity.

  • Ok I have reset my ID after signing out but when I go to Apps update it asks for a password using my old email address????

    I have reset my I D but when I go to update apps it asks for password using my old email address???
    How do I overcome this issue???

    So how do I update apps that are tied to an old ID ?? I do not remember the old ID as the Apps were downloaded a long time ago

  • When I try to buy or update an app on my ipad, a window comes up asking me for a password using SOMEONE ELSE'S apple ID which prevents me from buying the app. How can I get my ipad toprompt for a password using my own apple ID, like it does w/ itunes

    When I try to buy or update apps, myipad asks me for a password using SOMEONE ELSE'S apple ID, which prevents me from buying/updating apps. But when I am buying songs on itunes, the ipad asks me for my password using MY OWN apple ID and everything works fine. HOW DO I GET MY IPAD TO REQUEST MY PASSWORD USING MY OWN apple ID WHEN I AM BUYING OR UPDATING APPS?

    The apps you are trying to update were purchased with (and therfore permanently linked to) someone elses Apple ID. If you do not know the password then you need to delete the app and redownload/purchase it with your Apple ID.

  • I re-set password using specific user ID but when I put new password in it does not say incorrect password  it just spins and spins never accepting it.  What is the problem?

    I re-set password using specific user ID but when I put new password in it does not say incorrect password  it just spins and spins never accepting it.  What is the problem?

    Update on my problem connecting in Itunes with my Airport Express. Not sure if anything I tried made a difference
    but I finally got the Pop up window saying this device requires a Password. I entered the password and I can once again use the Airport Express as a remote speaker.

  • What are the advantages of using Map IDs?

    Hi:
    I am trying to find out the advantages for using map ids as
    opposed to just using the file names for the topics, but I couldn't
    find this information in the RH7 Help or the forums. Can you please
    list the advantages and disadvantages.
    Also, I am describing how I wish to implement the context
    sensitive help feature for my application and you can tell me which
    approach is better. We make an application that is packaged within
    a Java IDE. We want to launch context sensitive help topics from
    the wizards and cheat sheets. Now, this context sensitive help can
    be either be installed on the local machine or network (file://
    protocol) or available on our portal (https:// protocol). We do
    have the infrastructure in place to let the user decide whether
    he/she wants to access the local help topic or the one over the
    internet. Will map ids work for both the scenarios?
    Thanks,
    K

    It sounds like your application call needs to call an online
    version of the help first and if this is not available to point to
    a local copy. Is that right? If so, how this happens is entirely in
    the hands of your developers. I know it can be done, just sketchy
    on the actual procedure.
    As far as the CSH in the help is concerned, you can use
    mapids for both versions of the help if you want. If using webhelp
    you'd do well to check out
    this
    link on Peter Grainge's site.

Maybe you are looking for

  • ITunes 7.4 With Windows Vista Error

    Ever since the update to iTunes 7.4 and continuing into 7.4.2.4 I get this error before starting iTunes each time. http://i135.photobucket.com/albums/q149/brene/iTunesError.jpg Before this update it worked fine. Thought I should let people know in ca

  • Problen when Sending the text file as attachment to the external mail

    HI, I am sending the text file as an attachment to a aexternal mai. mailing is going with text file attachment, but text file is empty. No information in the file is going, only empty text file is going. I am sending the code  iam using. Please sugge

  • Problem with T60 and USB Sticks

    All - I can't understand it but I have a huge problem with USB devices and my T60. EVERY USB device works 100% fine - despite of USB memory/HDD/other memory devices. Neither USB HDD or USB Sticks nor a SD drive via USB - no media is accecpted. I alwa

  • Where can I download Adobe Photoshop Elements 9 when i lost an instalation CD?

    Please, where could I find an instalation file for Adobe Photoshop Element 9. A bought it last year, but lost a CD and now when I am changing computer I need an instalation file. I found only element 11 available. Can you help me please? Thank you.

  • Garbage Characters in CDE Window Title Bar

    I recently patched our Solaris 8 Sun workstations (a mixture of Blade 150, Ultra10, Blade 1500, and Blade 2000) with the recommended patch cluster from December 19th, 2005. At the same time, I updated the systems' Java to 1.4.2_10, and installed Upda