OpenLDAP {SHA} hashes are base64-encoded hex byte-arrays of the SHA hash. Example:
userpassword:: {SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g=
The original SHA hash can be extracted from this with the help of fdump (http://sourceforge.net/projects/fdump/files/):
echo -n W6ph5Mm5Pz8GgiULbPgzG37mj9g= |base64 -d - |fdump -
IBM Directory Server, while based on OpenLDAP, implements a botched version of this. Instead of base64 encoding the SHA hash only, they encode the "{SHA}" prefix as well. Example:
userpassword:: e1NIQX1bqmHkybk/PwaCJQts+DMbfuaP2A==
The SHA hash can be extracted in the same manner by cutting the hex for "{SHA}" (7b 53 48 41 7d) from the result:
echo -n e1NIQX1bqmHkybk/PwaCJQts+DMbfuaP2A== |base64 -d - |fdump - |cut -c 11-
FTW, let's convert the IBM Directory Server userpassword field back to the OpenLDAP format:
echo -n e1NIQX1bqmHkybk/PwaCJQts+DMbfuaP2A== |base64 -d - |fdump - |cut -c 11- |xxd -r -p |base64 |awk '{print"{SHA}"$1}'
This is called "taking it back". At $30,000 per IBM Directory Server license, I highly recommend it!
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment