The following questions covered:
1. userPassword field format
2. What "set password-storage" command affects
3. If multiple hashing algorithms are permitted in the same directory
4. How to use multiple hashing algorithms in the same directory
dxserver 14.1.05 (build 18619) Linux 64-Bit
1. It was tested to have multiple users in the directory where each user had their "userPassword" field encrypted using a different hashing algorithm. Each user was able to connect to the directory using their corresponding password. Therefore, multiple hashing techniques can coexist in the same directory and it does not affect the ability of a user to login to the directory.
2. "userPassword" field contains the user password. When it is encrypted the format is "{ENCRYPTION_METHOD}ENCRYPTED_PASSWORD". For example:
{SSHA512}t7glzHGXFnP6jBfZGZ3UJ3qp7t2aDlVvm0nr/MhNifld31sJwPLP6UOh7JZZHIGrsK/194EbAyHGTYa+EP0KepT5hbI=
{MD5}ICy5YqxZB1uWSwcVLSNLcA==
3. When the "userPassword" field is updated with clear text password, the password will be encrypted according to the algorithm defined by the command:
set password-storage = <hashing method>;
Example of the command:
set password-storage = bcrypt;
See for more details: set password-storage Command
Other than setting the default encryption method, the above command seems not affecting anything else.
4. When the "userPassword" field is updated with encrypted password, the data will be set "as-is" to the password field, which allows effectively use multiple hashing algorithms disregarding the method set by the "set password-storage" command.
For example, the code below (Python) sets the password hashed by "SSHA512" algorithm despite the default encryption method is set to "bcrypt" in testing environment. After the script is executed successfully, user "cn=alexd4,ou=test unit,o=test1,c=US" will be able to use the correct password to login to the directory.
from ldap3 import Server, Connection, ALL, MODIFY_REPLACE
from ldap3.core.exceptions import LDAPException
# LDAP configuration
LDAP_SERVER = 'ldap://<IP>:<Port>' # Replace with your LDAP server address
USER_DN = 'cn=example_user,ou=example unit,o=example,c=US'
PASSWORD = '<example_user password to login to the directory>'
UPDATE_DN = 'cn=example_user2,ou=example unit,o=example,c=US'
UPDATE_FIELD = 'userPassword' # Case-sensitive field name
NEW_PASSWORD = '{SSHA512}QCWDoYQv8IeZXpCEF+U8rxgDRgqYCauljvL+FqhsKS5e17tlBPixSTXjGB8bigq2uH+502NAAAxH79qw03xl56cmxEGHRWTqGC5CCNtLZHFp2p7ozoarvTpxi0pBGmOPegjzZNRN+ifM1wQe9ItfbnU+P7Gw0k5RiMamQXUo+5M=' # Replace with the desired new password
def update_ldap_entry():
try:
# Connect to the LDAP server
server = Server(LDAP_SERVER, get_info=ALL)
conn = Connection(server, USER_DN, PASSWORD, auto_bind=True)
print("Connected to LDAP server successfully.")
# Prepare the modification
changes = {UPDATE_FIELD: [(MODIFY_REPLACE, [NEW_PASSWORD])]}
# Perform the update
if conn.modify(UPDATE_DN, changes):
print(f"Successfully updated {UPDATE_FIELD} for {UPDATE_DN}.")
else:
print(f"Failed to update {UPDATE_FIELD}. Error: {conn.result['description']}")
# Unbind the connection
conn.unbind()
except LDAPException as e:
print(f"An LDAP error occurred: {e}")
if __name__ == '__main__':
update_ldap_entry()