Skip to content

Instantly share code, notes, and snippets.

@shtrom
Forked from rca/openldap_passwd.py
Last active December 6, 2017 02:34
Show Gist options
  • Save shtrom/a968be807ffa82acb289d74c60ebc5ab to your computer and use it in GitHub Desktop.
Save shtrom/a968be807ffa82acb289d74c60ebc5ab to your computer and use it in GitHub Desktop.
Python hashing and test functions for user passwords stored in OpenLDAP.
#!/usr/bin/env python
"""
http://www.openldap.org/faq/data/cache/347.html
As seen working on Ubuntu 12.04 with OpenLDAP 2.4.28-1.1ubuntu4
Author: Roberto Aguilar <[email protected]>
"""
import hashlib
import os
def check_password(tagged_digest_salt, password):
"""
Checks the OpenLDAP tagged digest against the given password
"""
# the entire payload is base64-encoded
assert tagged_digest_salt.startswith('{SSHA}')
# strip off the hash label
digest_salt_b64 = tagged_digest_salt[6:]
# the password+salt buffer is also base64-encoded. decode and split the
# digest and salt
digest_salt = digest_salt_b64.decode('base64')
digest = digest_salt[:20]
salt = digest_salt[20:]
sha = hashlib.sha1(password)
sha.update(salt)
return digest == sha.digest()
def make_secret(password):
"""
Encodes the given password as a base64 SSHA hash+salt buffer
"""
salt = os.urandom(4)
# hash the password and append the salt
sha = hashlib.sha1(password)
sha.update(salt)
# create a base64 encoded string of the concatenated digest + salt
digest_salt_b64 = '{}{}'.format(sha.digest(), salt).encode('base64').strip()
# now tag the digest above with the {SSHA} tag
tagged_digest_salt = '{{SSHA}}{}'.format(digest_salt_b64)
return tagged_digest_salt
if __name__ == '__main__':
if len(sys.argv) > 1:
print(make_secret(sys.argv[1]))
else:
# buffer straight out of OpenLDAP
ldap_buf = 'e1NTSEF9VGY1dVFxUkl0VzV2NGowV0RNNXczY2dJd2ZLS0FUcFg='
print 'ldap buffer result: {}'.format(check_password(ldap_buf, 'foobar'))
# check that make_secret() above can properly encode
print 'checking make_secret: {}'.format(check_password(make_secret('foobar'), 'foobar'))
@shtrom
Copy link
Author

shtrom commented May 21, 2016

$ ./openldap_passwd.py correcthorsebatterystaple
{SSHA}+URnLMpsW7I7rAGYuOHGR2uekn/6erCS
$ ./openldap_passwd.py correcthorsebatterystaple
{SSHA}dkLsdaxVyYn3VvbAAKlBIXc59amV7Vkc
$ ./openldap_passwd.py correcthorsebatterystaple
{SSHA}Aq5lfYRCDcupH5TqG4Lv4rI1dUyaAgBg

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment