directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lecharny <>
Subject Re: [ApacheDS] Hash question
Date Fri, 08 Oct 2010 15:41:17 GMT
  On 10/8/10 3:43 PM, Jason Russler wrote:
>>> So if you currently have
>>> $1$PzZV2WYK$Asd3JtTFOwR3JnNTPjxDq/
>>> in /etc/shadow, you can try
>>> {MD5}PzZV2WYK$Asd3JtTFOwR3JnNTPjxDq/
>> As your example hash is salted, it should be:
>> {SMD5}PzZV2WYK$Asd3JtTFOwR3JnNTPjxDq/
> This isn't going to work.  I think Apache DS uses a different sized 
> salt for SMD5 than a typical shadow file - either that or a larger 
> resultant hash value.  Ah, well, I suppose I can use the "migrate" 
> feature of the pam_ldap module.  Too bad, Apache DS appears to be a 
> lot easier to deal with (in every other respect) than the other LDAP 
> systems I've dealt with.  I've very new to it....
FYI, we are using the Java MessageDiggest class to encode the password 
in Studio, and we assume in the server that the salt is 8 bytes long :

         int algoLength = encryptionMethod.algorithm.getName().length() + 2;
             case HASH_METHOD_SMD5:
                     // The password is associated with a salt. Decompose it
                     // in two parts, after having decoded the password.
                     // The salt will be stored into the 
EncryptionMethod structure
                     // The salt is at the end of the credentials, and 
is 8 bytes long
                     byte[] passwordAndSalt = Base64.decode( new String( 
credentials, algoLength, credentials.length
                         - algoLength, "UTF-8" ).toCharArray() );

                     int saltLength = passwordAndSalt.length - MD5_LENGTH;
                     encryptionMethod.salt = new byte[saltLength];
                     byte[] password = new byte[MD5_LENGTH];
                     split( passwordAndSalt, 0, password, 
encryptionMethod.salt );

                     return password;

Here, algoLength is the length for the string "{SMD5}" or whatever 
algorithm you used.

However, you should *not* use MD5 as it's considered broken...

Emmanuel L├ęcharny

View raw message