SHA Encryption's problem

F

forstera


Joined
Mar 25, 2020
Messages
2
Reaction score
0
Points
1
Hello all,

To be short : I work for a school and I have to build my own OpenLDAP server to authenticate my users. This server will be used to authenticate different local web applications and our MACBook Pro High Sierra 10.13.6 (about 120 computers)

Everything works except the following : When I create a new user in my OpenLDAP server, the password is encrypted using SHA. People can than connect to the web part of the server to change their password.

When they try to open a session on the Macbook Pro, they receive an error message about a wrong password. (instead the connection to the OpenLDAP server is made and is fine).

I analyzed that and realized that when I create a user, the password looks like : {sha}<hash encryption>. If, using a ldap admin tool, and I change the {sha} with capital letters -> {SHA} and I don't change the hash encryption, I can connect with the computers.

But this time, people cannot authenticate anymore through the web console to change their password !

So it seems my OpenLDAP and my Macs are not storing the password in the same way.
I don't know what to do to make my 2 systems speaking the same langage ...
Any idea is very welcomed
Thanks to all for your help
 
P

pjhutch


Joined
Aug 4, 2007
Messages
303
Reaction score
8
Points
18
Your Mac's Specs
MacOS Sonoma
SHA is a common method of a hashing algorithm. Instead of storing passwords, computers create a one-way encrypted hash value of the password and stores that. When users enter there password, that is hashed and compared with the hash value for that user on the LDAP server and authenticates them.

What version of OpenLDAP are you using? MAc OS Server, Linux ...?

See hash - How do you turn on password hashing (SSHA) in openLDAP - Stack Overflow
 
OP
F

forstera


Joined
Mar 25, 2020
Messages
2
Reaction score
0
Points
1
Hello and thanks for your answer.

The computers are Macbook Pro High Sierra 10.13. My OpenLDAP is par of the ClearOS system (linux Centos) and is :

$OpenLDAP: slapd 2.4.44 (Oct 11 2019 15:35:58) $
root@build-x86_64-1.orem.clearos.com:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd

According to what you said, it seems that the component of my system which is responsible of checking my current password (when I request a password change) has not the same hashing method that the one of the mac or my importing tool; instaed they all use SHA encryption !


thanks :)
 

Shop Amazon


Shop for your Apple, Mac, iPhone and other computer products on Amazon.
We are a participant in the Amazon Services LLC Associates Program, an affiliate program designed to provide a means for us to earn fees by linking to Amazon and affiliated sites.
Top