I'm new to Ldap and try to import all my User.
I try to add a Person like this:
dn: cn=Thomas Bendler,ou=Development,o=selflinux,dc=selflinux,dc=de
objectclass: top
objectclass: person
objectclass: organizationalperson
objectclass: inetorgperson
cn: Thomas Bendler
sn: Bendler
ou: Development
mail:project#selflinux.de
userpassword: {CRYPT}saHW9GdxihkGQ
But I have a Problem with userpassword: {CRYPT}saHW9GdxihkGQ
My Database already contains encrypted Passwords like this a913759b1331c15d3048b7142fb75e50
How can I tell OpenLdap/phpldapadmin to use the encrypted form and not to encrypt it again?
As for the documentation of OpenLDAP, the password does not need to be stored encrypted and/or hashed.
So if you want to store an already encrypted/hashed password, it needs to be compliant with the authentication mechanism of OpenLDAP, which schemes are for example : SSHA, CRYPT, MD5, SMD5, SHA, etc.
If the password you have in your database are not crypted by a mechanism known by openldap you won't be able to import them like that.
Related
I am inspecting WordPress' wp-config.php file. I used this guide to help go through things a bit "A guided tour of wp-config.php."
However, most of it was mostly just repeating the name of variables.
These define statements let us use define('DB_PASSWORD', 'somePass');.
What is this "method" actually doing?
Bonus question. I have a password in that method; however, it is encrypted. Is that what the database is looking for or does it want the plaintext password? If so, where is the algorithm to decrypt that password?
Happy to help,
define('DB_PASSWORD', 'somePass'); is the MYSQL password to your website database.
Example:
define('DB_NAME', 'name_of_your_database');
define('DB_USER', 'mysql_user_name');
define('DB_PASSWORD', 'mysql_password');
This tells Wordpress to look for Database: name_of_your_database with your MYSQL user credentials Username: mysql_user_name and Password: mysql_password
I am using ldap as keystone identity backend, but it does not work as I expected.
I always get authentication fail http 401 response.
I followed these docs to configure my keystone and ldap:
I refer this doc to configure keystone: https://docs.openstack.org/keystone/latest/admin/identity-integrate-with-ldap.html
I refer this doc to configure ldap: https://wiki.openstack.org/wiki/OpenLDAP
my openstack ldif file is like this(it seems no admin user here, I add all of these in to my ldap):
dn: dc=openstack,dc=org
dc: openstack
objectClass: dcObject
objectClass: organizationalUnit
ou: openstack
dn: ou=Groups,dc=openstack,dc=org
objectClass: top
objectClass: organizationalUnit
ou: groups
dn: ou=Users,dc=openstack,dc=org
objectClass: top
objectClass: organizationalUnit
ou: users
dn: ou=Roles,dc=openstack,dc=org
objectClass: top
objectClass: organizationalUnit
ou: roles
my openstack keystone.conf [ldap] is:
url = ldap://localhost
user = cn=admin,dc=openstack,dc=org
password = password
suffix = dc=openstack,dc=org
my ldap slap.conf is:
database bdb
suffix "dc=openstack,dc=org"
rootdn "cn=admin,dc=openstack,dc=org"
rootpw password
when I type command (the --os-password nomoresecret is default devstack configuration password, I use it initially. The devstack install keystone, it use mysql as all keystone services backend by default):
openstack --os-username admin --os-password nomoresecret --os-domain-name default --os-auth-url http://127.0.0.1:5000/ token issue
it returns:
The request you have made requires authentication. (HTTP 401) (Request-ID: req-bbd485e6-b689-4bf3-b8f8-7d55f994e79f)
when I type this command (the --os-password password is ldap rootpw password. )
openstack --os-username admin --os-password password --os-domain-name default --os-auth-url http://127.0.0.1:5000/ token issue
it returns:
The request you have made requires authentication. (HTTP 401) (Request-ID: req-87bd8a1e-901e-4077-8461-095e3b7ee44e)
I can not find a specific walk-through guide about "bootstrap keystone with identity ldap guide (the doc of install and configuration keystone is more about use mysql)".
I refer this: Ldap connection with Openstack could not find user : admin, but it seems has not solve the problem yet.
Anyone can help me awith the basic right configuration of keystone.conf and ldap .ldif files, and how to bootstrap keystone with ldap as identity backend
I want to configure keystone with ldap manually first (although my openstack is installed by devstack, its version is from master branch by default. In fact, I use devstack to install keystone with ldap once, it failed with authentication fail).
Anyone can help, thank you in advance.
I am a system administrator of one ldap server.
As a sys amdin my aim is to inform all the users their uid's and password stored ldap directory. I am able to get the uid's of all the user, but I am not able to fetch the password for individual user.
Essentially, I want to query ldap server to get the password details of each user.
I am not able to find the solution for this.
Please share how can I achieve this.
I'm new to cryptography . I've read that symmetric and asymmetric algorithms use one and two encryption keys respectively . and these keys must be stored somewhere safe . but when I searched the web to find tutorials about how to do encryption in asp.net I found something strange to me ! for example this tutorial .
there is no public or private key stored or supplied when encrypting or decrypting data ! I can't understand .
another problem I have is that all tutorials I've found till now just are codes without any explanations about what are these codes and why are used . I appreciate any good tutorial suggested .
From RSACryptoServiceProvider Constructor:
If no default key is found, a new key is created.
This constructor creates an Exchange key pair suitable to encrypt session keys so that they can be safely stored and exchanged with other users. The generated key corresponds to a key generated using the AT_KEYEXCHANGE value used in the unmanaged Microsoft Cryptographic API (CAPI).
So it is just generating a new key pair if it cant find one that was created already; you should not use this other than for session based data.
A little background (I'm assuming your using Windows), Asymmetric key pairs are associated with certificates. These certificates are what you use to place trust on asymmetric keys. Every certificate can be signed by a certificate authority (who is the authority which issues the asymmetric keys), if you trust the certificate authority, then you trust the asymmetric keys which belong to a certificate signed by that authority. All these certificates are stored in your "Certificate Store", aka "Key Store" (Java), "Key Ring" (Mac).
You can view your certificates by doing Start > Run > certmgr.msc. Your certs are under Personal > Certificates. If you open one up, and go to the Certificate Path tab, you will see the certificate chain up to a certificate authority. If that "root" certificate, which belongs to the certificate authority, is found in your Trusted Root Certification Authorities > Certificates store, then the certificate is considered valid and trusted.
If you want to encrypt something for a user, you should go into his certificate store, and pull out his encryption certificate. To do this, you should open up the "Current User's" key store, and iterate through all the certificates in there, and pick out the ones with the key usage of "Key Encipherment", and if more than one, ask the user's which he wants to use.
If you want to encrypt something using a service account (for example if you were a web server) you should use certificates found in the "Local Machine" key store, and only grant your service account read access to the private key associated with the certificate you want to use.
This can be done using X509Store Class, for example:
X509Store certificateStore = new X509Store("MY", StoreLocation.CurrentUser);
X509Certificate2Collection allCertificates = certificateStore.Certificates;
//Iterate through all certificates
"MY" represents personal certificates, the rest can be found here. CurrentUser represents user keys, the other option is LocalMachine.
Once you have the certificate you want to use, you should use the public key for encryption, and the private key for decryption, in conjunction with a symmetric key. So if you had a big set of data you wanted to encrypt, what you would do is:
Get certificate
Pull public key from certificate
Generate symmetric key (AES)
Encrypt data with symmetric key
Encrypt symmetric key with public key
Store encrypted symmetric key with the encrypted data, along with an identifier (Serial Number) for the certificate you used to encrypt
When you decrypt you should:
Read serial number from encrypted data
Pull certificate, from key store, with that serial number
Pull private key out of that certificate
Decrypt symmetric key with that private key
Decrypt data with that symmetric key
Use data
I have a bunch of code samples which accomplish this if you would like to take a look, just let me know which section you need help with.
That was probably a little confusing, so let me know what you want clarified.
Is there any way to define your own encryption/decryption rather than having a plain text password store? Can you have your own algorithm and run that separately as part of the process? I am new and the documentation online although detailed does not specify any concrete ways of doing this. This is specific to OpenLDAP and the current method used for authentication.
To be able to have the server hash the password for you by default you have to add a password policy overlay and a directive.
If you are using the online cn=config method add an overlay sub entry to your olcDatabase object.
dn: olcOverlay={0}ppolicy,olcDatabase={2}hdb,cn=config
objectClass: olcPPolicyConfig
olcOverlay: {0}ppolicy
olcPPolicyHashCleartext: TRUE
Slapd.conf method:
database bdb
suffix "dc=example,dc=com"
...
# invokes password policies for this DIT only
overlay ppolicy
ppolicy_hash_cleartext
Then when you add a new user with the userpassword attribute in plain text it will store the password hashed. I believe the default is a salted sha1 which is pretty secure. You should also look into restricting access to the userpassword attribute.
olcAccess: to attrs=userPassword by self write by * auth
apache directory studio can accomplish this for you
This ldap browser detects the userpassword OID and provides an interface to hash the password.
suchas:
userPassword:: e01ENX1Lc25MZmNBclBBQ0Q2M0NKamxTYll3PT0=
(it just works, because it's built in)
Read the Openldap readme for more info:
This directory contains native slapd plugins for password mechanisms that
are not actively supported by the project. Currently this includes the
Kerberos, Netscape MTA-MD5 and RADIUS password mechanisms. The Apache
APR1 MD5 and BSD/Paul Henning Kamp MD5 mechanisms are also included.
To use the Kerberos plugin, add:
moduleload pw-kerberos.so
to your slapd configuration file.
yada yada yada
You should never, ever store passwords in reversible encryption if you use them for authentication!
You should store passwords with a one way hash function: MD5, SHA1, SHA256. If you do not absolutely require storing it in some old, specific format, you should always salt them. Salted SHA1 is the OpenLDAP good default.
The problem is, that you need to use LDAP Extended Operation to change the password, not the regular ldapmodify update, for it to work properly. Best to use ppolicy to actually enforce setting the password this way. You may want to do password quality checking and ageing if you're at it.