Hello,
I am trying to get a handle on how to use Perl to compare passwords
stored in LDAP that may be encrypted by different means such as MD5,
SMD5, CRYPT etc. The passwords are stored in userPassword attribute.

The application that I'm trying to adapt to multiple possible password
hashes is Koha - Integrated Library System (http://www.koha.org). As it
is now LDAP auth only works with clear text.

Here is a snip of the code from Auth.pm Koha 2.2.4:

        ##################################################
        ### LOCAL
        ### Change the code below to match your own LDAP server.
        ##################################################
        # LDAP connexion parameters
        my $ldapserver = '172.16.56.209';
        # Infos to do an anonymous bind
        my $ldapinfos = 'ou=users,dc=tow,dc=net ';
        my $name  = "ou=users,dc=tow,dc=net";
        my $db = Net::LDAP->new( $ldapserver );

        # do an anonymous bind
        my $res =$db->bind();
        # check connexion
        if($res->code) {
                # auth refused
                warn "LDAP Auth impossible : server not responding";
                return 0;
        # search user
        } else {
                my $userdnsearch = $db->search(base => "$name",
                                filter =>"(cn=$userid)",
                                );
                if($userdnsearch->code || ( $userdnsearch-> count eq
0 ) ) {
                        warn "LDAP Auth impossible : user unknown in
LDAP";
                        return 0;
                };
                # compare a-weak with $password.
                # The a-weak LDAP field contains the password
                my $userldapentry=$userdnsearch -> shift_entry;
                my $cmpmesg = $db -> compare ( $userldapentry, attr =>
'userPassword', value => $password );
                if( $cmpmesg -> code != 6 ) {
                        warn "LDAP Auth impossible : wrong password: ";
                                return 0;
                };
                # build LDAP hash
                my %memberhash;
                my $x =$userldapentry->{asn}{attributes};
                my $key;
                foreach my $k ( @$x) {
                        foreach my $k2 (keys %$k) {
                                if ($k2 eq 'type') {
                                        $key = $$k{$k2};
                                } else {
                                        my $a = @$k{$k2};
                                        foreach my $k3 (@$a) {
                                                $memberhash{$key} .=
$k3." ";
                                        }
                                }
                        }
                }
                #
                # BUILD %borrower to CREATE or MODIFY BORROWER
                # change $memberhash{'xxx'} to fit your ldap structure.
                # check twice that mandatory fields are correctly filled
                #
                my %borrower;
                $borrower{cardnumber} = $userid;
                $borrower{firstname} = $memberhash{givenName}; #
MANDATORY FIELD                $borrower{surname} = $memberhash{sn}; #
MANDATORY FIELD
                $borrower{initials} =
substr($borrower{firstname},0,1).substr($borrower{surname},0,1)."  "; #
MANDATORY FIELD
                $borrower{streetaddress} =
$memberhash{homePostalAddress}." "; # MANDATORY FIELD
                $borrower{city} = $memberhash{l}." "; # MANDATORY FIELD
                $borrower{phone} = $memberhash{homePhone}." "; #
MANDATORY FIELD                $borrower{branchcode} =
$memberhash{businessCategory}; # MANDATORY FIELD
                $borrower{emailaddress} = $memberhash{mail};
                $borrower{categorycode} = $memberhash{employeeType};
        ##################################################
        ### /LOCAL

The section that compares passwords retrieved from LDAP needs to be
expanded to include other encryption methods. I am not very well versed
in Perl (better with PHP, sorry) but would appreciate some ideas on
where to proceed.

Thanks in advance.

Kent N

kent sent the following missive on 12/13/2005 9:42 PM:

Using LDAP like a database, where you compare password hashes, really
isn't the correct way to use it.  As a matter of fact, in some LDAP
implementations, including Active Directory, you can't even query the
userPassword attribute.

To authenticate a user, you find out if you can bind to the LDAP server
using that username and password.

To do it in other than clear text, you use LDAP over SSL by connecting
to ldaps://

Also, there is a PHP LDAP library.  It isn't as robust as perl-ldap by
any means, but for authenticating a user it works fine.

On 14/12/05 3:18, Justin Alcorn <jus...@jalcorn.net> wrote:

You're correct. Google should be able to help you work out the various
schemes are implemented (the only surprising thing is that many are
pointlessly base64 encoded) but seriously do not bank on being able to read
them back.

If you're doing SASL authentication, the password might not even be
something the server can return. There might not *be* a password.

Yes, this is absolutely the very best thing to do. You might need to do a
search to convert your username value into the user's DN, but then you
should do a bind() to get the server to compare the password.

To make it clear - this is *not* generally required by servers.

Cheers,

Chris

--On Wednesday, December 14, 2005 6:21 AM +0000 Chris Ridd

And connecting over LDAPS is not the only way to encrypt the connection.
There is TLS over port 389, for example, and also some SASL mechanisms do
the encryption themselves (like SASL/GSSAPI for example).

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

On 14/12/05 6:36, Quanah Gibson-Mount <qua...@stanford.edu> wrote:

Yep, that too.

Cheers,

Chris