Skip to content

Instantly share code, notes, and snippets.

@thegeek

thegeek/openldap_passwd.py

Forked from rca/openldap_passwd.py
Created July 29, 2016 10:21
Show Gist options
  • Save thegeek/c7a28391c2cec54157c07518486af95b to your computer and use it in GitHub Desktop.
Save thegeek/c7a28391c2cec54157c07518486af95b to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. @rca rca revised this gist Oct 30, 2013. 1 changed file with 4 additions and 5 deletions.
    9 changes: 4 additions & 5 deletions openldap_passwd.py
    View file
    Original file line number Diff line number Diff line change
    @@ -10,12 +10,11 @@
    import os


    def check_password(tagged_digest_salt_b64, password):
    def check_password(tagged_digest_salt, password):
    """
    Checks the OpenLDAP tagged digest against the given password
    """
    # the entire payload is base64-encoded
    tagged_digest_salt = tagged_digest_salt_b64.decode('base64')
    assert tagged_digest_salt.startswith('{SSHA}')

    # strip off the hash label
    @@ -46,10 +45,10 @@ def make_secret(password):
    # create a base64 encoded string of the concatenated digest + salt
    digest_salt_b64 = '{}{}'.format(sha.digest(), salt).encode('base64').strip()

    # now base64-encode the encoded digest above with the {SSHA} tag
    tagged_digest_salt_b64 = '{{SSHA}}{}'.format(digest_salt_b64).encode('base64').strip()
    # now tag the digest above with the {SSHA} tag
    tagged_digest_salt = '{{SSHA}}{}'.format(digest_salt_b64)

    return tagged_digest_salt_b64
    return tagged_digest_salt


    if __name__ == '__main__':
  2. @rca rca created this gist Oct 29, 2013.
    61 changes: 61 additions & 0 deletions openldap_passwd.py
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,61 @@
    #!/usr/bin/env python
    """
    http://www.openldap.org/faq/data/cache/347.html
    As seen working on Ubuntu 12.04 with OpenLDAP 2.4.28-1.1ubuntu4
    Author: Roberto Aguilar <[email protected]>
    """
    import hashlib
    import os


    def check_password(tagged_digest_salt_b64, password):
    """
    Checks the OpenLDAP tagged digest against the given password
    """
    # the entire payload is base64-encoded
    tagged_digest_salt = tagged_digest_salt_b64.decode('base64')
    assert tagged_digest_salt.startswith('{SSHA}')

    # strip off the hash label
    digest_salt_b64 = tagged_digest_salt[6:]

    # the password+salt buffer is also base64-encoded. decode and split the
    # digest and salt
    digest_salt = digest_salt_b64.decode('base64')
    digest = digest_salt[:20]
    salt = digest_salt[20:]

    sha = hashlib.sha1(password)
    sha.update(salt)

    return digest == sha.digest()


    def make_secret(password):
    """
    Encodes the given password as a base64 SSHA hash+salt buffer
    """
    salt = os.urandom(4)

    # hash the password and append the salt
    sha = hashlib.sha1(password)
    sha.update(salt)

    # create a base64 encoded string of the concatenated digest + salt
    digest_salt_b64 = '{}{}'.format(sha.digest(), salt).encode('base64').strip()

    # now base64-encode the encoded digest above with the {SSHA} tag
    tagged_digest_salt_b64 = '{{SSHA}}{}'.format(digest_salt_b64).encode('base64').strip()

    return tagged_digest_salt_b64


    if __name__ == '__main__':
    # buffer straight out of OpenLDAP
    ldap_buf = 'e1NTSEF9VGY1dVFxUkl0VzV2NGowV0RNNXczY2dJd2ZLS0FUcFg='
    print 'ldap buffer result: {}'.format(check_password(ldap_buf, 'foobar'))

    # check that make_secret() above can properly encode
    print 'checking make_secret: {}'.format(check_password(make_secret('foobar'), 'foobar'))