java 解密 OpenLDAP 密码
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/5938766/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Decrypting OpenLDAP passwords
提问by odtf
I have a set of users in my OpenLDAP and i wish to get some information from them, for example "cn" and "userPassword".
我的 OpenLDAP 中有一组用户,我希望从他们那里获取一些信息,例如“cn”和“userPassword”。
However when i retrieve these details the password isnt in plain text even though it is set to this in my LDAP server.
但是,当我检索这些详细信息时,即使在我的 LDAP 服务器中将密码设置为纯文本,密码也不是纯文本格式。
Any ideas how to solve this?
任何想法如何解决这个问题?
回答by JPBlanc
The userPassword is generaly store in hashed form
userPassword 通常以散列形式存储
userPassword: {hasAlgorithm}Hashed value
Example :
例子 :
userPassword: {SSHA}DkMTwBl+a/3DQTxCYEApdUtNXGgdUac3
The userPasswordattribute is allowed to have more than one value, and it is possible for each value to be stored in a different form. During authentication, slapd will iterate through the values until it finds one that matches the offered password or until it runs out of values to inspect. The storage scheme is stored as a prefix on the value
的userPassword属性被允许有不止一个值,并且可以对存储在不同的形式的每个值。在身份验证期间,slapd 将遍历这些值,直到找到与提供的密码匹配的值,或者直到它用完要检查的值。存储方案存储为值的前缀
You can have :
你可以有 :
CRYPT
加密
This scheme uses the operating system's crypt(3) hash function. It normally produces the traditional Unix-style 13 character hash, but on systems with glibc2 it can also generate the more secure 34-byte MD5 hash
该方案使用操作系统的 crypt(3) 散列函数。它通常产生传统的 Unix 风格的 13 个字符散列,但在带有 glibc2 的系统上它也可以产生更安全的 34 字节 MD5 散列
MD5
MD5
This scheme simply takes the MD5 hash of the password and stores it in base64 encoded form
该方案仅采用密码的 MD5 哈希值并将其以 base64 编码形式存储
SMD5
贴片5
This improves on the basic MD5 scheme by adding salt (random data which means that there are many possible representations of a given plaintext password). For example, both of these values represent the same password
这通过添加盐(随机数据,这意味着给定的明文密码有多种可能的表示形式)改进了基本的 MD5 方案。例如,这两个值代表相同的密码
SSHA
SSHA
This is the salted version of the SHA scheme. It is believed to be the most secure password storage scheme supported by slapd
这是 SHA 方案的加盐版本。被认为是slapd支持的最安全的密码存储方案
Conclusion
结论
Most of the time you don't have to recover password, You just have to compute the hash from the password given by the user in the login form and compare it with the one of userPassword.
大多数情况下,您不必恢复密码,您只需要根据用户在登录表单中提供的密码计算哈希值,并将其与userPassword.
回答by Sam Corder
Your configuration has a password policy overlay that is configured to hash the plain text password. olcPPolicyHashCleartext: TRUEor ppolicy_hash_cleartext. Remove them and it should start storing the passwords in plain text.
您的配置有一个密码策略覆盖,配置为散列纯文本密码。 olcPPolicyHashCleartext: TRUE或 ppolicy_hash_cleartext。删除它们,它应该开始以纯文本形式存储密码。
That said, it isn't a good idea to store plain text passwords. At least encrypt it so that it can't be easily reversed by casual observers. And no, ROT13 or base64 encoding don't count.
也就是说,存储纯文本密码不是一个好主意。至少对它进行加密,使其不容易被不经意的观察者逆转。不,ROT13 或 base64 编码不算数。
