Decoding OpenLDAP & IBM Directory Server password hashes

OpenLDAP {SHA} hashes are base64-encoded hex byte-arrays of the SHA hash. Example:
userpassword:: {SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g=

The original SHA hash can be extracted from this with the help of fdump (http://sourceforge.net/projects/fdump/files/):

echo -n W6ph5Mm5Pz8GgiULbPgzG37mj9g= |base64 -d - |fdump -

IBM Directory Server, while based on OpenLDAP, implements a botched version of this. Instead of base64 encoding the SHA hash only, they encode the "{SHA}" prefix as well. Example:

userpassword:: e1NIQX1bqmHkybk/PwaCJQts+DMbfuaP2A==

The SHA hash can be extracted in the same manner by cutting the hex for "{SHA}" (7b 53 48 41 7d) from the result:

echo -n e1NIQX1bqmHkybk/PwaCJQts+DMbfuaP2A== |base64 -d - |fdump - |cut -c 11-

FTW, let's convert the IBM Directory Server userpassword field back to the OpenLDAP format:

echo -n e1NIQX1bqmHkybk/PwaCJQts+DMbfuaP2A== |base64 -d - |fdump - |cut -c 11- |xxd -r -p |base64 |awk '{print"{SHA}"$1}'

This is called "taking it back". At $30,000 per IBM Directory Server license, I highly recommend it!

No comments: