Fedora directory users - Oct 2006 - modify userPassword via perl-ldap?

Hello,

I''m trying to modify the userPassword value from within a perl script
using Perl::LDAP.
I generate an encrypted pwd in perl and then write it to FedoraDS via
ldap->modify
The update seems successfull but when I query FedoraDS afterwards the
string in userPassword is not the same as the one I generated. What
exactly is happening in the background giving this result? I tried
writing the same value to another attribute (eg mail) and then it is
as expected.
What''s the best way to update the userPassword from within perl?

Thanks again,
Jo

Jo De Troy wrote:
> Hello,
> 
> I''m trying to modify the userPassword value from within a perl
script
> using Perl::LDAP.
> I generate an encrypted pwd in perl and then write it to FedoraDS via
> ldap->modify
> The update seems successfull but when I query FedoraDS afterwards the
> string in userPassword is not the same as the one I generated. What
> exactly is happening in the background giving this result? I tried
> writing the same value to another attribute (eg mail) and then it is
> as expected.
> What''s the best way to update the userPassword from within perl?
When the server is set to do password hashing, then it hashes the value 
you send unless you prefix it with {sha} or similar. When prefixed, the 
server assumes that you know what you are doing.

--
mike

Are you prefixing the password with the hash you''re using to encrypt
the
password?
e.g.,
{crypt}
or
{ssha}


Jo De Troy wrote:
> Hello,
>
> I''m trying to modify the userPassword value from within a perl
script
> using Perl::LDAP.
> I generate an encrypted pwd in perl and then write it to FedoraDS via
> ldap->modify
> The update seems successfull but when I query FedoraDS afterwards the
> string in userPassword is not the same as the one I generated. What
> exactly is happening in the background giving this result? I tried
> writing the same value to another attribute (eg mail) and then it is
> as expected.
> What''s the best way to update the userPassword from within perl?
>
> Thanks again,
> Jo
>
> -- 
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

> I''m trying to modify the userPassword value from within a 
> perl script using Perl::LDAP.
> I generate an encrypted pwd in perl and then write it to FedoraDS via
> ldap->modify
> The update seems successfull but when I query FedoraDS 
> afterwards the string in userPassword is not the same as the 
> one I generated. What exactly is happening in the background 
> giving this result? I tried writing the same value to another 
> attribute (eg mail) and then it is as expected.
> What''s the best way to update the userPassword from within perl?

This page offers some advice for creating SHA and SSHA passwords (which
your directory is likely doing) using various languages:
http://www.openldap.org/faq/data/cache/347.html

You could use one of those snippets to do your own hashing prior to
updating the userPassword attribute.

You could also use one of those snippets in your verification routine:
Generate a hash in perl using the same algorithm used by your directory,
and compare the perl-generated hash to the one stored in the
userPassword attribute.  If the two hashes are the same, it is extremely
probable (almost certain) that the passwords they obscure are the same.
(Note to crypto geniuses: please be gentle if I am wrong ;)

Justin

Jo De Troy wrote:
> What''s the best way to update the userPassword from within perl?
Either you write it directly in the form of 
{ENCRYPTION_METHOD}CRYPT_TEXT where ENCRYPTION_METHOD is e.g. SSHA or 
MD5 or CRYPT and CRYPT_TEXT is the password, crypted with said method, 
or you use the "Modify Password" extended LDAPv3 operation as
described
in RFC 3062 which is implemented in Net::LDAP::Extension::SetPassword.

The example cited in the Net::LDAP::Extension::SetPassword manpage makes 
the server autogenerate the password, which I''m not sure if FDS can do,
but it can be changed, either by binding as the user himself or as the 
directory administrator (or whatever your ACLs allow).

Net::LDAP::Extension::SetPassword has the added benefit of that password 
chances replicate to Active Directory replication agreements, if there 
be any.

-- 
  ___    Elías Halldór Ágústsson    ___    Elias Halldor Agustsson   ___
{o,o}   Yfirkerfisfræðingur       {o.o}   Senior Systems Analyst   {o,o}
|)__)   Reiknistofnun Háskólans   |)_(|   University of Iceland    (__(|
-"-"-   http://elias.rhi.hi.is/   -"-"-   elias@hi.is
+3545254903  -"-"-

Justin Crawford wrote:
> This page offers some advice for creating SHA and SSHA passwords (which
> your directory is likely doing) using various languages:
> http://www.openldap.org/faq/data/cache/347.html
>
> You could use one of those snippets to do your own hashing prior to
> updating the userPassword attribute.
>   
If I understand things correctly, it''s probably best to set passwords 
plain-text and let the server hash them for you.  I believe that you 
*must* do this if you want to use PassSync to sync passwords with AD.

e.g.:

dn: uid=user,ou=people,dc=example,dc=com
changetype: modify
replace: userPassword
userpassword: theNewPassword

If you don''t specify a hash, the directory server should hash the 
password on your behalf.
> You could also use one of those snippets in your verification routine:
> Generate a hash in perl using the same algorithm used by your directory,
> and compare the perl-generated hash to the one stored in the
> userPassword attribute.  If the two hashes are the same, it is extremely
> probable (almost certain) that the passwords they obscure are the same.
> (Note to crypto geniuses: please be gentle if I am wrong ;)
>   
For security purposes, no one should be able to see the userPassword 
attribute.  The proper way to validate a password is to search for the 
user''s entry in LDAP, save the DN of that entry, and then attempt to 
bind as that DN using the password from the user.  If the bind is 
successful, then the password is correct.

On 10/25/06, Jo De Troy <jo.de.troy@gmail.com>
wrote:
> Hello,
>
> I''m trying to modify the userPassword value from within a perl
script
> using Perl::LDAP.
[snip]
> Thanks again,
> Jo
Hello Jo,

I did a nice CGI (under GPL) done in Perl that does this. You can grab
a copy from:

http://lems.kiskeyix.org/toolbox/?f=adduser-ldap.cgi

Just use it as an example. The script is meant to be dropped under any
server''s cgi-bin directory and it will allow new accounts to be
created as well as password resets.
If you need help setting it up, let me know.

-- 
----)(-----
Luis Mondesi
*NIX Guru

Kiskeyix.org

"We think basically you watch television to turn your brain off, and
you work on your computer when you want to turn your brain on" --
Steve Jobs in an interview for MacWorld Magazine 2004-Feb

No .doc: http://www.gnu.org/philosophy/no-word-attachments.es.html