How to enable password hashing in OpenLDAP?
It seems that OpenLDAP has password-hash set to {SSHA} by default, but whenever I enter a cleartext password in userPassword attribute using Apache Directory Studio, it is still stored in clear text. I was expecting it to be converted to SSHA by OpenLDAP.
I also tried to put password-hash {SSHA} in slapd.conf file, but that didn't help.
When you tried to store userPassword attribute in add/modify LDAP operations, userPassword value is stored as plain text. But you can override this behavior using ppolicy_hash_cleartext option in ppolicy overlay module in OpenLDAP. Once you enable it, when client sends a plain text password, it is stored as SSHA by default. You can find configuration details on enabling hash password in OpenLADP from here
When you set the attribute directly, you are setting the actual value, which can be hashed or not (as you have already discovered).
The following, quoted from The FAQ:
First of all, make use of the 'slappasswd' utility to generate a password, so you can check if your PHP routines are correct. (The slappasswd utility is part of the openldap distribution).
The command
slappasswd -h {SHA} -s supersecretpassword
may help.
Related
Will Directory api store my password as plain text if I dont specify hashfunction value in request body . kindly tell me
If we check the docs for Manage users we can see how google wants us to use the User.insert method. As far as the password goes there are a few things we can add to the body of the request.
The password itself and the hashFunction that was used to create the password
"password": "new user password",
"hashFunction": "SHA-1",
"changePasswordAtNextLogin": false,
If we read further down in the docs we will find this line.
A password is required for new user accounts. If a hashFunction is specified, the password must be a valid hash key. For more information, see the API Reference.
So you must send a password, in clear text. Then Google will hash it on their end using what ever hashing method they choose. If you then do a user.get on the ner user created the hashFunction will be filled in and google will tell you which type of hash function they used.
You do have another option you can decide yourself which hash function you want to use. By sending hashFunction as part of your request. However you then must hash the password itself. If a hashFunction is specified, the password must be a valid hash key. This option may by some be considered more secure as you are not sending a clear text password to google for hashing.
So if you want to send it clear text just let google hasht it on their end. However if your have your own favoriate hash function (dont we all) then feel free to use that as long as its one of these apparently google only supports MD5, SHA1 and crypt
resource:-user
I have added an issue request 237333031 to have some clarifications added to the documentation.
Previously in SugarCRM, the following statement was enough:
UPDATE users SET user_hash = MD5('PASSWORD') WHERE user_name = 'USERNAME';
I can't find a single site on how to do it now with SuiteCRM?
I found this:
Can I still use MD5 passwords? I’m used to that and can easily administer passwords in the database using just MD5.
Sugar will still recognize passwords stored in MD5 format, but anytime a password is changed it will convert to the newer format. Unless very old PHP build (5.2) used in a system where better
crypt() is not available, new password will use salted hashing algorithm.
Posted it on SugarCRM's site:
https://developer.sugarcrm.com/2012/05/16/new-for-sugar-6-5-stronger-password-storage-encryption/
It turns out that SuiteCRM uses this new password format too, but, as well, it still recognizes md5 passwords, so, same sql statement works:
UPDATE users SET user_hash = MD5('PASSWORD') WHERE user_name = 'USERNAME';
I did it and it works :)
Btw, same post recommends change passwords with PHP crypt like this:
crypt(md5("newpassword"))
Maybe it can help someone else.
I know this is a total novice question, but any help would be greatly appreciated.
So I'm creating my first app in Treeline and simply want to check to see if a username / password combination is valid.
What's the best way to do that given the current machines that are available? Attempted to use the Password machine with "Check Password" but wasn't immediately clear how you take the hashed password returned from "find user" and compare it to the hashed pw already stored.
Ended up figuring this out after some trial and error.
Use the Find One User machine which will return the encrypted password. Then use the Check Password machine using your unencrypted password parameter as the first value, then the FindOneUser variable as the second.
If you click the FindOneUser bubble, it will turn into a dropdown and it will allow you to choose the password key from the dictionary.
I have a Python3 program which sends emails. It reads variables from a config file, and one of these is the password of the email account which sends the emails. Now, it is in clear text, but it should not, so I am looking for a way to hide it.
I thought about writing directly the result of applying md5 to the password, like for example:
password = 'write_here_the_password_encrypted'
But the following code would not work:
server = smtplib.SMTP('smtp.gmail.com:587')
server.starttls()
server.login(username, password)
server.sendmail(from_email, to_emails, msg)
server.quit()
Is there anyway to make work the line server.login(username, password) if the password is encrypted?
login method from SMTP needs only plain password, not some hash of it, so the only way to make it work - unencrypt password before passing to login().
But as md5 is one way hash function (or intended to be one way), so you cannot decode the password, once you coded it into md5 hash. But even if you could, that anyone who has access to you config will also could.
What you need to do - is to separate passwords and other sensitive information to separate file, and store it in safe location, not accessible to unauthorized persons.
In my ext. I auto generate a password that is converted to a salted password and stored in the DB.
The generation of the password is done with the method provided in the saltedpassword ext.
At the end of the registration process of my application, I would like to show the password in plain text.
As far as I can tell, there is no method available in the salted password extension to convert a password back to plain text.
How can I do this?
tnx
There is no possibility to reverse a hashed string back to the original string. If you found a service which offers that, they using rainbow tables. See http://md5.gromweb.com/. For this reason there is no reverse function inside the saltedpassword extension.
You also should ask yourself why you wanna show the user the password. This will put your extension into a bad light security wise. As a user I would think that you save my password as plain text into the database.
But to answer your question: You can of course save the plain password in the session and print it at the end of registration process.