Skip to Main Content
Forums

Security Software

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

DS 5.2 storing cleartext passwords

807573Jun 14 2004 — edited Aug 23 2004
Hi:

I've opened a Sun trouble ticket on this, but have not received a resolution yet. I'm interested in learning whether anyone else can replicate this behavior.

I have SunONE Directory Server 5.2 (downloaded two weeks ago) installed on a variety of different systems. Using ldapmodify and ldapsearch, I can insert a password and then read it as cleartext.

This is shown in the below shell sessions (machine names and passwords changed to protect the innocent). Note that OS version, encryption scheme, library version and executable version are varied, with the same results.

Anyone who has seen this, or -- better yet -- anyone with a resolution: please reply to this thread.

Thanks.

----1. Hostname, ldapsearch for test user in new LDAP
[user@jung]> uname -a
SunOS jung 5.9 Generic_112233-12 sun4u sparc SUNW,Ultra-4
[user@jung]> ldapsearch -D "cn=Directory Manager" -w PASSWORD -p 40002 -b "dc=domain,dc=edu" uid=test_user userpassword
version: 1
dn: uid=test_user,ou=People,dc=domain,dc=edu
userpassword: {SSHA}7Va9MnP0cpU/KFa+GWNFIeIaHHxtQxdPtjKLHQ==

----1a. Using 5.2 libraries and 5.2 executables, modify and search
[user@jung]> export LD_LIBRARY_PATH=/ldap/sunone/lib
[user@jung]> /ldap/sunone/shared/bin/ldapmodify -p 40002 -D "cn=Directory Manager" -w PASSWORD
dn: uid=test_user,ou=People,dc=domain,dc=edu
changetype: modify
delete: userpassword
-
add: userpassword
userpassword: newWord33

modifying entry uid=test_user,ou=People,dc=domain,dc=edu


[user@jung]> /ldap/sunone/shared/bin/ldapsearch -D "cn=Directory Manager" -w PASSWORD -p 40002 -b "dc=domain,dc=edu" uid=test_user userpassword
version: 1
dn: uid=test_user,ou=People,dc=domain,dc=edu
userpassword: newWord33


----1b. Using 4.16SP1 libraries and 4.16SP1 executables, modify and search
[user@jung]> export LD_LIBRARY_PATH=/ldap/netscape/server4/lib
[user@jung]> /ldap/netscape/server4/shared/bin/ldapmodify -p 40002 -D "cn=Directory Manager" -w PASSWORD
dn: uid=test_user,ou=People,dc=domain,dc=edu
changetype: modify
delete: userpassword
-
add: userpassword
userpassword: newWord44

modifying entry uid=test_user,ou=People,dc=domain,dc=edu
[user@jung]> /ldap/netscape/server4/shared/bin/ldapsearch -D "cn=Directory Manager" -w PASSWORD -p 40002 -b "dc=domain,dc=edu" uid=test_user userpassword
dn: uid=test_user,ou=People,dc=domain,dc=edu
userpassword: newWord44

----2. On a different machine, a different OS, a different patch level, a different password encryption scheme, with different data and a different schema, I saw the same behavior
freud> uname -a
SunOS freud 5.8 Generic_117350-02 sun4u sparc SUNW,Ultra-5_10
freud> ldapsearch -D "cn=Directory Manager" -w PASSWORD -b "dc=domain,dc=edu" uid=shepard userpassword
uid=shepard,ou=People,dc=domain,dc=edu
userPassword={crypt}x
freud> ldapmodify -D "cn=Directory Manager" -w PASSWORD
dn: uid=shepard,ou=people,dc=domain,dc=edu
changetype: modify
delete: userpassword
-
add: userpassword
userpassword: newWord55

modifying entry uid=shepard,ou=people,dc=domain,dc=edu

freud> ldapsearch -D "cn=Directory Manager" -w PASSWORD -b "dc=domain,dc=edu" uid=shepard userpassword
uid=shepard,ou=People,dc=domain,dc=edu
userpassword=newWord55

----3. On yet ANOTHER machine, one that has never had an LDAP configured on it, I saw the same behavior
$ uname -a
SunOS confucious 5.9 Generic_112233-12 sun4u sparc SUNW,Ultra-250
$ /web/sunone/shared/bin/ldapsearch -p 40002 -D "cn=Directory Manager" -w PASSWORD -b dc=domain,dc=edu uid=test_user userpassword
version: 1
dn: uid=test_user,ou=People,dc=domain,dc=edu
userpassword: {SSHA}3MLfOfdEOGGIr9y01HzgR2abxsGYIy1IaRlnLw==
$ /web/sunone/shared/bin/ldapmodify -p 40002 -D "cn=Directory Manager" -w PASSWORD
dn: uid=test_user,ou=People,dc=domain,dc=edu
changetype: modify
delete: userpassword
-
add: userpassword
userpassword: CanUReadThis???

modifying entry uid=test_user,ou=People,dc=domain,dc=edu

$ /web/sunone/shared/bin/ldapsearch -p 40002 -D "cn=Directory Manager" -w PASSWORD -b dc=domain,dc=edu uid=test_user userpassword
version: 1
dn: uid=test_user,ou=People,dc=domain,dc=edu
userpassword: CanUReadThis???
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Sep 20 2004
Added on Jun 14 2004
#identity-management, #oracle-unified-directory-oud-oracle-directory-server-enterprise-edition-sun-dsee
4 comments
180 views