Solaris 10 openldap authentication with md5 passwords

Similar Messages

• LDAP authentication with MD5 passwords

  Hi,
  in one of our Linux servers we have MD5 passwords stored in /etc/shadow. We want to implement pam_ldap on that machine, and move passwords to an LDAP database.
  I know it is to be done with {crypt} storage scheme.
  This works with DS 5.2 running on a Linux box, but under Solaris 8 I couldn't get it working. I know that Solaris 8 doesn't support MD5 passwords in its crypt(3) function, and I suppose Directory Server uses that. Somewhere I read that, however crypt() in Solaris 9 does support MD5.
  Can you confirm that after upgrading to Solaris 9, authentication with MD5-hashed passwords will be possible? Has anyone tried it?
  Thanks in advance,
  Kristof

  Thanks you for your reply.
  Our openldap version is openldap-2.3.39
  And all passwords are encrypted with : Base 64 encoded md5
  Below is a sample password:
  {md5}2FeO34RYzgb7xbt2pYxcpA==Thanks again for any help..

• Authentication with hashed password

  Hi,
  the user passwords in my iPlanet 5.1 are stored by using SHA. I authenticate a user from a JBoss AppServer by using an LDAPLoginModule which works fine.
  Now I want to secure this access by no longer sending the clear text password over the network. Instead I configured my JBoss-LoginModule to hash the password by using "SHA-1" before accessing the LDAP server. But now the authentication fails.
  ERROR [LdapLoginModule] Failed to validate password
  javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials
  Do I have to configure something in the iPlanet before I can access it with a password that is already hashed?
  Does iPlanet recognize that the sent password is already hashed? Maybe it tries to hash the password again before checking?
  Andreas
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     

  As far as my experience with this has gone, the simple answer is no. You'll have to enter it in cleartext.
  The most used methodology is to create some kind of standard password to send for each new account, and make it mandatory to change it as soon as the user logs on for the first time. I don't know any other way to do this.
  - Mark

• Migration Users with MD5 Passwords to Directory Server 6.1 on Solaris 10

  Hi,
  We are currently in a requirement of migrating some users to a application database to inside LDAP. Currently Application maintained the passwords in the MD5 hash form. Typical 32 digit Hex value - 41da76f0fc3ec62a6939e634bfb6a342
  Is there a way we can migrate these Users password to directory Server as-is so that they don't end up facing the prospect of resetting post migration.
  I have done some of the initial ground work but seems to be missing other critical info if at all it's possible.
  I believe it's possible to have CRYPT password policy (which directory server uses from underlying OS) as one of the plug-ins to configure in a way that underlying CRYPT utility starts to process/provide/support MD5 hashes. I got it to work, my using the below command on DSEE instance:
  dsconf set-plugin-prop -p 389 CRYPT argument:'$md5$'
  But for some reasons the MD5 hash (Sun MD5 library) provides does not match with the original hash value. It's 22 char long (as I have not specified any salt length) so I am assuming it's Base64 encoded. I have a perl script which converts the original 32-digit hex values to a base64 encoded representation (which I have also verified with other open source tools)
  Is there a way I can tweak CRYPT utility or something so that it understands typical standard MD5 hashes. (Confused between Sun MD5 and BSD (Linux) MD5 - none of them seems to match standard MD5 generated value).
  Any leads on this would be really helpful ?

  Just to reclarify or throw more information:
  a password - cleartext value - testuser1 has 32-digit HEX value as - 41da76f0fc3ec62a6939e634bfb6a342
  Same password when converted to Base64 pattern becomes - Qdp28Pw+xippOeY0v7ajQg==
  But when I use pwdhash utility in DSE after configuring CRYPT to use MD5 hashes it becomes -
  {crypt}$md5$$LiB/H70zXr3xfQPoXVuUQ1
  I used below command :
  pwdhash -D /opt/SUNWdsee/dsee6/ds6/slapd-oha-dev -s CRYPT testuser1
  Actual hash value of pwdhash is -LiB/H70zXr3xfQPoXVuUQ1 with rest of the prefix is to meet RFC standard and salt and algo name separator.
  I am wondering if Sun MD5 default uses any salt even when I haven't used or DS does it. Or if any other MD5 option is there which can be used.
  Thanks,
  Gaurav

• Authentication with username/password *OR* certificates?

  Hi folks,
  we have to authenticate users either via username/password combo or via
  certificate.
  Of course, by using SSL in both cases. Is this possible with WLS 6.0? Since
  I've read
  that I have to configure WLS explicitly to support client certificates, I'm
  rather suspiscious
  if this will work.
  Any ideas anybody?
  Regards,
  Gerhard

  You can use certificates for authentication if you do the following:
  1) you need to implement a CertAuthenticator which, given a
  certificate from SSL, extracts a user name (for example, get
  the email address from the certificate and return the name
  portion - [email protected] might use foo as the user name)
  2) in your realm, you must have a user for the user name in
  the certificate (so, for the example above, you need to have
  a user named "foo" in the realm)

• Logging in with md5 passwords.

  Hi,
  How is it possible to allow users to login when their passwords, have been encrypted into md5?
  Thank you.

  You encrypt the submitted value and compare it to the stored value.
  The way I do this with the Dreamweaver Log In User server behavior is to add this at the top of the login page:
  if (isset($_POST['password'])) {
    $_POST['password'] = md5($_POST['password']);

• Migrating Linux shadow-file MD5 passwords to Sun DSEE for Solaris/SunMail

  Hello all,
  We are about to undertake migration of an outdated mail server based on RedHat 7.2 and Sendmail/ipop3d to Sun Messaging Server (JCS6u2). While the filesystem/mail are not a problem, we're stuck at the question of how to best migrate old users' identities.
  The old Linux system used user names and password hashes stored in /etc/passwd and /etc/shadow files. Hashes are mostly MD5 and a few seem like crypt.
  Question is: are there known incompatibilities between password hashes (algorithms, expected format) in Linux and Sun products - Solaris/DSEE/SunMail?
  That is, if we just take strings like these:
  usemd5:$1$Wu7IqFT5$TeUht3OMdeSSBB3Vab4dB.:11262:0:::::134540116
  usecrypt:DD2kEwCD8nies:10220::::::
  Can we simply place the second column as the userPassword attribute in Sun DSEE and expect that users would be able to log in to LDAP-enabled Solaris and Sun Mail with their old passwords knownst only to them?
  If not, is there some simple modification/translation of such hashes to a format accepted by Sun products?
  Or are these formats/algorithms known to be incompatible somehow in a fatal manner, so our only option would be generation of new passwords for Sun DSEE and its clients?
  Thanks,
  //Jim

  Just to reclarify or throw more information:
  a password - cleartext value - testuser1 has 32-digit HEX value as - 41da76f0fc3ec62a6939e634bfb6a342
  Same password when converted to Base64 pattern becomes - Qdp28Pw+xippOeY0v7ajQg==
  But when I use pwdhash utility in DSE after configuring CRYPT to use MD5 hashes it becomes -
  {crypt}$md5$$LiB/H70zXr3xfQPoXVuUQ1
  I used below command :
  pwdhash -D /opt/SUNWdsee/dsee6/ds6/slapd-oha-dev -s CRYPT testuser1
  Actual hash value of pwdhash is -LiB/H70zXr3xfQPoXVuUQ1 with rest of the prefix is to meet RFC standard and salt and algo name separator.
  I am wondering if Sun MD5 default uses any salt even when I haven't used or DS does it. Or if any other MD5 option is there which can be used.
  Thanks,
  Gaurav

• Solaris & MD5 Passwords ?

  Hi!
  We've got a linux NIS domain inhouse, and would like to also integrate our sun boxes to this domain. The Problem is that RedHat Linux uses MD5 encryption for pam password, and it seems that solaris isn't able to encrypt passwords this way...
  Anyone knows a solve, or perhaps a lib which supports md5 ?
  Thanks...
  -- Mirko

  One way of doing this:
  You have a solaris resource adapater configured and is working properly.
  Create a variable and map this variable to the password attribute on the solaris adapater schema mapping.
  Within the form that is used when a create or update is processed, add a field with the name of the 'global.YOURVARIABLE'. Within the expansion of this field select expression and use the <script> tag to use the MD5 password javascript for instance.
  A better way of doing, is putting the <script> in a rule, test the rule, and call the rule from the expansion.
  Good luck!
  Elger.

• How to deal with expired passwords in authentication schemes?

  IHi,
  I am trying to build an authentication scheme that deals with expired passwords. After the user has provided their valid but expired password they should be redirected to a password reset page. After they have provided a new password they should be allowed to continue to the page they would have otherwise gone to had their password not expired.
  I have written my authentication processs as follows:
  CREATE OR REPLACE FUNCTION inventory_test.inventory_authentication (
  p_username IN VARCHAR2,
  p_password IN VARCHAR2
  RETURN BOOLEAN
  IS
  r1 apex_users%ROWTYPE;
  valid_password BOOLEAN;
  BEGIN
  IF p_password IS NULL
  THEN
  RETURN FALSE;
  END IF;
  SELECT *
  INTO r1
  FROM apex_users
  WHERE UPPER (username) = UPPER (p_username);
  valid_password :=
  DBMS_OBFUSCATION_TOOLKIT.md5 (input_string =&gt; p_password
  || TO_CHAR (r1.SEED, '99999')
  ) = r1.PASSWORD;
  IF valid_password AND (r1.password_expiration_date &lt; SYSDATE)
  THEN
  apex_util.set_session_state ('FSP_AFTER_PASSWORD_RESET_URL', v ('FSP_AFTER_LOGIN_URL')); -- My new application item
  apex_util.set_session_state ('FSP_AFTER_LOGIN_URL',
  'F?P=' || v ('APP_ID') || ':14:' || v ('APP_SESSION')
  END IF;
  RETURN valid_password;
  EXCEPTION
  WHEN NO_DATA_FOUND
  THEN
  RETURN FALSE;
  END;
  This redirects the user to the password reset page but FSP_AFTER_PASSWORD_RESET_URL is null - presumably because the login process changes the session.
  This seems the wrong approach anyway as the user, once authenticated, can change the page number in the URL and avoid the password reset. I would guess that I need to use the APEX_CUSTOM_AUTH package somehow. However, I am thoroughly confused about the relationship between the LOGIN and POST_LOGIN procedures. Also, I gather from other posts in this forum that there is some asynchronous processing that goes on as new sessions are created. Can someone point me in the right direction please?
  --Tony
  [http://tonyhasler.wordpress.com/][http://tonyhasler.wordpress.com/]

  Sorry for taking so long to acknowledge your helpful suggestions.
  Scott's proposal is a tiny tiny bit awkward as,if i understand it correctly, the user would have to reauthenticate after resetting the password.
  /dev/null's suggestion is actually not too bad for me. I already have each page being authorised and I use only a limited mumber of (once per session) authorization schemes. I think all I have to do is to place an extra line or two in each scheme to check the expiration date of the user's password and remember to call APEX_UTIL.RESET_AUTHORIZATIONS when the password is reset.
  I successfully redirected to the password reset page using owa_util.redirect_url from the post-authentication procedure but what I am still having trouble with is the deep-linking bit. It seems I have to obtain the target URL by 'editing' FSP_AFTER_LOGIN_URL to replace '|' characters by ':' characters and inserting the session id in the right place. Given the fact that FSP_AFTER_LOGIN_URL may not be set and that there may not be sufficient ':' characters in the URL this is very clunky.
  Is there an easier way to do this?
  --- Never mind. I worked out how to use regular expressions with SQL to do this. A full explanation is in my blog.
  --Tony
  http://tonyhasler.wordpress.com
  Edited by: TonyHasler on Sep 6, 2008 3:17 PM

• Need MBAM 2.5 Helpdesk and selfservice sites to open for authenticated users with no password prompt

  I Need MBAM 2.5 Helpdesk and self service sites to open for authenticated users with no password prompt. I just cant seem to get this to work. The account used in the application pool has its SPN registered and delegation set. I can use that account to login
  to the sites but am prompted for a password. That said anyone I add into the helpdesk users group cannot negotiate the sites. Only the account I have set in the application pool can. I want domain authenticated users that have been added to the MBAM Help Desk
  Users group to negotiate the site with NO password challenge at all.
  tconners

  This generally means that your SPN is not set up correctly.  Let's say the web server you installed the SSP on is lance.contoso.com and your app pool creds are corp\lance.  You should set an SPN similar to setspn -s http/lance.contoso.com
  corp\lance.  In your browser, you should now be able to access the SSP without prompts.  However, if you still get prompted, generally that means that your local intranet zone in IE does not have an entry for *.contoso.com.  Since you are entering
  an FQDN in your browser, IE interprets the "." to mean "on the internet" which breaks Kerberos authentication.  By adding *.contoso.com to your local intranet zone, you are telling it that lance.contoso.com is on the intranet, so use
  Kerberos.
  I can confirm, that I have exact configuration and I always get the password promt for the very first time. We have 2 server (1xIIS and 1xSQL) infrastructure in production with SPN set like it should and I get the password prompt.

• OBIEE 11.1.1.7 external database authentication fails with hashed passwords.

  Hi .
  I use an external database ( Oracle database 11g  release 11.2.0.1.0) to authenticate user with OBIEE 11.1.1.7.
  I configured  SQL Authentication provider as my provider ,It works OK with :enabled  Plaintext Passwords Enabled option and password  is stored as plain text.
  But It fails when I disable this option and want to authenticate with hashed passwords.It gives Authenticate Denied error.
  In Provider Specific tab there are some parameters which might need changes:
  1-Password Algorithm:??
  2-Password Style:??
  3-SQL Get Users Password:SELECT U_PASSWORD FROM USERS WHERE U_NAME = ?
  How can I find correct values for options 1 and 2 form my external database?
  And Is it need to rewrite query in option 3 ?
  Please find attach files.

  Hi,
  I too faced same issue when I was installing OBIEE 11.1.1.7.0 on windows7 64bit.
  Please refer the below links.
  http://satyaobieesolutions.blogspot.in/2013/05/configuration-action-creating-domain.html
  http://satyaobieesolutions.blogspot.in/2013/05/obiee-111170-simplesoftware-installation.html
  http://satyaobieesolutions.blogspot.in/2012/06/obiee-11.html
  Hope this help's
  Thanks,
  Satya

• IPlanet Web Server 6.0 SP3-4: authenticating succeeds with bogus password

  There is a very serious problem with ACL configured to authenticate against the ldap server.
  Going through the Global settings, if you configure it to use a Ldap server and then configure the ACL to allow only the authenticated users... however, by typing a bogus password, as long as userid is correct, I can get access to the URL pages.
  Previously, I have responded to "Thuan Nguyen" in the subject "Problem authenticating iPlanet Web Server 6.0 SP3 and SP4 with LDAP", regarding authentication to the Ldap with bogus password.
  I have emailed and called in to inform SUN of this severe security problem with their Web Server, but I don't even know if this information is getting through.
  Isn't there anyone out there who can also confirm this?
  And if there is any existing workarounds for this?
  Thank you.

  This is documented in the 6.0 SP5 (and higher)
  release notes as fixed problem 4770629, and,
  according to the SP5 release notes, "All users of
  previous versions of Sun ONE Web Server are strongly
  recommended to install this service pack."
  Note that the problem only occurs when the LDAP entry
  lacks a uid.Thanks for the info. However, the LDAP server I'm using does have the UID value.
  Regardless, I will try the SP5 and get back to you.
  Thank you.

• Db10g external password authentication with Active Directory via OID

  HI ALL
  - i have the synchronization AD-to-OID
  - i have the external authorization of AD users via SSO (external authorization plug-in)
  - i have the DB10g enterprise authorization of OID native users who have their password in OID (global schema)
  - but i cann't configure the DB10g autorization of AD-to-OID synchronized users who don't have their password in OID
  error:
  ORA-28274: No ORACLE password attribute corresponding to user nickname exists.
  i.e. those users are not recognized as users with external passwords.
  Any ideas, please ...

  Funny thing - LDAP (OID and Active Directory) defines a generic heirachical database. Like any other generic database, you need to define the schema to define what data is to be captured.
  Each LDAP application expects a certain schema. That includes Enterprise User Security (part of the Advanced Security Option).
  To accomplish what you want to do
  1) get familiar with the Enterprise User Security capability (see the EUS documentation at tahiti)
  2) learn to configure SQLNet / Oracle Networking to use LDAPthat is responsib (''cause it's Oracle Networking responsible for the login)
  3) Reverse the schema from OID and transport it to AD
  Aside from that, it's a no-brainer.

• Sun Management Console doesn't support MD5 passwords?

  I recently converted all our Sun systems to use MD5 passwords, using the Linux-BSD algorithm. I chose the Linux-BSD algorithm for compatibility reasons. After giving root a new password, now stored in MD5 format, I can no longer log in to the Sun Management Console (smc). I had the same problem with DB2. Switching root's password back to CRYPT fixed the issue.
  Is this a known problem that Sun is working on? And how does this happen? Shouldn't the application leave authentication to the OS?
  Mark

  IIRC the Solaris 10 Basic admin guide talks about this issue.
  alan

• MD5 Password Support in DS5.2

  I need to import accounts form an Oracle Directory (OID) to the Sun Directory 5.2p6. The passwords in the accounts use MD5. From what I read, MD5 is supported, but I am not finding how to configure it to work :).
  I do see a plugin called:NS-MTA-MD5, but not just MD5. I tried using NS-MTA-MD5 but that does not work.
  An example MD5 password is: {MD5}SCyBHaXVtLxtSX/6mEkeOA==
  cleartext: password123
  Any help is appreciated.
  Thanks,
  Eric

  There is no default support for an MD5 hashing scheme.
  Provided the algorithm used by Oracle Directory is publicly documented, it should be pretty straightforward to implement a new Password Storage Scheme Plug-in to support both Authentication and hashing new passwords in MD5 format.
  Directory Server ships with a sample plug-in that can be used as a template.
  Regards,
  Ludovic.