Printout Header
LEX RSS Feed

LEX Online Manual Content

Editor for Password Attributes

This editor is used to show, edit or create LDAP password attributes:

Editor for password attributes

In the top area of this dialog, you see the distinguished name and type icon for the object whose attribute your are editing. In the line beneath, the attribute name is shown.

Passwords are often stored in LDAP systems according to the rules outlined in RFC 2307 'An Approach for Using LDAP as a Network Information Service'. This document describes among other things how password can be stored in an LDAP attribute. Most generic LDAP directories like OpenLDAP, iPlanet, 389 Directory Server or DirX uses this password methods, only Active Directory uses other proprietary mechanisms to handle password information.

Passwords should never be stored in an attribute in clear text - in fact, most generic LDAP directories store an hash value of the password - in other words, a kind of encryption. Normally it should prevent any user who can read this value to re-calculate the original password, but it allows to check a password entered by the user in an authentication process.

Depending on the directory server, several different hash algorithms could be used. According to RFC 2307, the syntax of the hash value has to be '{HashAlgorithm}Hashvalue'. Only a few hash algorithms are used without indicating the algorithm name in curly brackets.

The LEX password editor can calculate hash values for you, if you want to set a new password for an object. You just have to enter the password in the New password text box. When you re-enter the same password in the Confirm password text box, the regarding hash value is calculated and shown in the Password value box.


Please note that not all of these algorithms are supported by all LDAP servers. If you use an algorithm which indicated in the hash value, you can use the In Uppercase option to choose how the algorithm label should be inserted. Oddly enough, some LDAP server enforces the label to be upper case, although the RFC document specify this to be in lower case.

  • Plain Text: Obviously, this is not an hash algorithms. In fact, the password value will be shown and written in clear text. Many modern LDAP servers will convert a written clear text password automatically in a hash value when the store the attribute in the directory database.

  • CRYPT: This is the Unix Crypt hash algorithm, based on DES (Data Encryption Standard) with a 2 byte salt. Because DES was defined already in 1973, this algorithm is considered not to be the strongest.

  • MD5: The MD5 algorithm is a hash function with a 128 bit hash value. It was defined 1992 in the RFC 1321. MD5 is widely considered cryptographically broken and unsuitable for further use. There are many web sites where you can perform a rainbow table attack against an MD5 value in seconds - so you should not use this algorithm any more.

  • SMD5: This is the salted version of the MD5 hash algorithm, so this is more secure than a pure MD5.

  • SHA: This is the SHA-1 algorithm. SHA stands for Secure Hash Algorithm. It generates hash values 160 bit hash values. The modern SHA-2 algorithms (see below) are stronger, but the SHA-1 is more widely supported by LDAP servers.

  • SSHA: This is the salted version of the SHA hash algorithm, so this is more secure than a pure SHA.

  • SHA-256: This is the SHA-2 algorithm with a hash value length of 256 bit. SHA stands for Secure Hash Algorithm. The longer the hash value, the saver the algorithm - but it has to be supported by the regarding LDAP server also....

  • SSHA-256: This is the salted version of the SHA-256 hash algorithm, so this is more secure than a pure SHA-256.

  • SHA-384: This is the SHA-2 algorithm with a hash value length of 384 bit. SHA stands for Secure Hash Algorithm. The longer the hash value, the saver the algorithm - but it has to be supported by the regarding LDAP server also....

  • SSHA-384: This is the salted version of the SHA-384 hash algorithm, so this is more secure than a pure SHA-384.

  • SHA-512: This is the SHA-2 algorithm with a hash value length of 512 bit. SHA stands for Secure Hash Algorithm. The longer the hash value, the saver the algorithm - but it has to be supported by the regarding LDAP server also....

  • SSHA-512: This is the salted version of the SHA-512 hash algorithm, so this is more secure than a pure SHA-512.

  • Samba LM: This is the Microsoft Lan Manager hash algorithm which is used in the Samba specific attributes sambaLMPassword, lmPassword, sambaNTPassword and ntPassword. It is an DES (Data Encryption Standard) based algorithm, the hash value is a string which represents the hexadecimal hash value. Be aware that this algorithm can be easily cracked with different methods, so it's recommended to use the more modern Samba NTLM instead (if the regarding server supports it).

  • Samba NTLM: This is the Microsoft Windows NT Lan Manager hash algorithm which is used in the Samba specific attributes sambaLMPassword, lmPassword, sambaNTPassword and ntPassword. It is based on an MD4, the hash value is a string which represents the hexadecimal hash value.

Salted hash algorithms


Many hash algorithms can be made stronger by adding a random value (the 'salt') to the original initial data which has to be encrypted/hashed. This additional value prevents the easy re-calculation of the initial data from the hash value, so it generally makes an hash algorithm stronger.

If you use a salted password hash algorithm like SMD5, SSHA, SSHA-256, SSHA-384 or SSHA-512, LEX generates a randomized salt value for each hash calculation. You cannot set the salt value manually, but you can decide how long this value should be. Just open the application option Tools - Options - Attribute Syntaxes for this:

Setting the cryptographic salt length

The default salt length used by LEX is 8 bytes.


Editing the raw password data


If you opened a userPassword attribute with the password editor dialog, the regarding data is basically handled as binary data by the LDAP directory. You can display and edit the password data in it's binary form if you want: Just press on the Raw label in the bottom left corner of the dialog. The editor is switched to an binary editor then:

Editing the raw password data


Checking the current directory password


If a password hash value is stored in an LDAP attribute, you normally cannot determine any more what the real password was. If you want to check if a hash value found in the directory corresponds to a certain password string, you can do the following:

  1. Enter the password string you want to check against in the New password text box.

  2. Re-enter this string in the Confirm password text box.

  3. Press the Check against the current password button. LEX calculates the hash value according to the algorithm setting in the dialog. The calculated hash value is checked against the attribute content in the directory. Even hashes with random salt values can be checked. If the password matches with the directory value, the following message is shown:

    Successful password check


When will the password editor will be used?


For the use of the password editor, LEX evaluate the attribute's name:

The password editor which assumes that the password attribute is basically a binary value is used whenever the attribute userPassword is accessed.

The password editor which assumes that the password attribute is basically a string value is used whenever the samba attributes sambaLMPassword, lmPassword, sambaNTPassword or ntPassword are accessed.

 

Tweet