Enhancement request: Allow alternate hashes in CRYPT password encryption type

[389-ds-bot]

Cloned from Pagure issue: https://pagure.io/389-ds-base/issue/131

• Created at 2012-01-04 19:46:42 by mkosek
• Closed at 2017-04-05 07:32:01 as invalid
• Assigned to nobody
• Associated bugzillas
  • https://bugzilla.redhat.com/show_bug.cgi?id=245968

---

https://bugzilla.redhat.com/show_bug.cgi?id=245968

Description of problem:

Directory server currently supports a number of password encryption types,
including SSHA, CRYPT, MD5, SHA256, etc.  Some older Unix versions (Irix, in my
case) support LDAP, but don't support anything other than CRYPT as the
encryption type.  However, Irix WILL support CRYPT with more secure hashes than
DES (for example, MD5).

We need a way to specify alternate hashes for CRYPT encryption type, preferably
with a user-selectable "md5crypt" type in the "Password encryption:" dialog
within the Fedora Management Console.

Version-Release number of selected component (if applicable):

Tested on FDS 1.0.4.

How reproducible:

Steps to Reproduce:

1. Create an LDAP user account using SSHA password encryption.
2. Try to log in on a properly configured Irix workstation using this account.
Note that it fails.
3. Change the password encryption to CRYPT.  The login will succeed.
4. Use a utility like phpLDAPAdmin to change the password encryption to
"md5crypt" (ie CRYPT with an md5 hash).  The login will still succeed.

Actual results:

See above.

Expected results:

N/A - request for enhancement.

Additional info:

Apparently Sun implemented this by adding an optional parameter passed to its
crypt password storage scheme plugin (see
http://docs.sun.com/app/docs/doc/820-0376/6nc4cgnh4?a=view , topic 6557410).
While this would work with FDS, it would require hand-editing the dse.ldif
file,
which I'm sure would be a bad thing.  Hopefully it can be implemented poperly
with one or more new Password Storage Scheme dns.

OpenLDAP implemented this via a parameter, password-crypt-salt-format in
slapd.conf.

[389-ds-bot]

Comment from rmeggins (@richm) at 2012-01-10 06:05:49

batch update to FUTURE milestone

[389-ds-bot]

Comment from rmeggins (@richm) at 2012-08-14 19:56:22

set default ticket origin to Community

[389-ds-bot]

Comment from nkinder (@nkinder) at 2012-08-28 04:14:30

Added initial screened field value.

[389-ds-bot]

Comment from nhosoi (@nhosoi) at 2015-11-20 04:34:58

Another request in 2013.

Yap Chung Lam 2013-08-02 03:23:07 EDT

I need this feature too, to support solaris login without needing to modify any default settings.
Without this support, the {CRYPT} password is limited to a maximum of 8 characters.

Here's my workaround, (not really sure if it will break anything)

- Get the 389-ds source code.
- Edit the file crypt_pwd.c under ldap/servers/plugins/pwdstorage
- in the function crypt_pw_enc
char *cry, salt[8],md5_salt[12]="$1$";
...
...
slapi_rand_array( (void *)salt, 8);
strcat(md5_salt,salt);
cry = crypt(pwd,md5_salt);
...

Compile the 389-ds source and copy .libs/libpwdstorage-plugin.so to /usr/lib64/dirsrv/plugins/libpwdstorage-plugin.so

The password generated will be "md5-crypt", which solaris and irix should understand.

[389-ds-bot]

Comment from nhosoi (@nhosoi) at 2017-02-11 22:52:31

Metadata Update from @nhosoi:

• Issue set to the milestone: FUTURE

[389-ds-bot]

Comment from firstyear (@Firstyear) at 2017-04-05 07:32:13

We should not support crypt, and if anything, should be moving to deprecate it.

[389-ds-bot]

Comment from firstyear (@Firstyear) at 2017-04-05 07:32:18

Metadata Update from @Firstyear:

• Custom field component reset (from Security - Password Policy)
• Custom field reviewstatus adjusted to new (was: Needs Review)
• Issue close_status updated to: invalid
• Issue status updated to: Closed (was: Open)