Current location

narf Source control manager Git

summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorOlivier Mehani <shtrom@ssji.net>2016-05-21 21:26:26 +1000
committerOlivier Mehani <shtrom@ssji.net>2016-05-21 21:26:26 +1000
commit13f2781e1f1875a19e702d64df065a8f56cfc7b1 (patch)
treeee700f549427d0bb4d7e901c0db4d3840cb80cb2
parent66cf76614c6d91a673e129ae286e75595cc40e79 (diff)
Import openldap_passwd.py, from [0], wich ARGV support
[0] https://gist.github.com/rca/7217540 Signed-off-by: Olivier Mehani <shtrom@ssji.net>
-rwxr-xr-xopenldap_passwd.py64
1 files changed, 64 insertions, 0 deletions
diff --git a/openldap_passwd.py b/openldap_passwd.py
new file mode 100755
index 0000000..43f8c87
--- /dev/null
+++ b/openldap_passwd.py
@@ -0,0 +1,64 @@
+#!/usr/bin/env python2
+"""
+http://www.openldap.org/faq/data/cache/347.html
+
+As seen working on Ubuntu 12.04 with OpenLDAP 2.4.28-1.1ubuntu4
+
+Author: Roberto Aguilar <roberto@baremetal.io>
+"""
+import hashlib
+import os
+import sys
+
+
+def check_password(tagged_digest_salt, password):
+ """
+ Checks the OpenLDAP tagged digest against the given password
+ """
+ # the entire payload is base64-encoded
+ assert tagged_digest_salt.startswith('{SSHA}')
+
+ # strip off the hash label
+ digest_salt_b64 = tagged_digest_salt[6:]
+
+ # the password+salt buffer is also base64-encoded. decode and split the
+ # digest and salt
+ digest_salt = digest_salt_b64.decode('base64')
+ digest = digest_salt[:20]
+ salt = digest_salt[20:]
+
+ sha = hashlib.sha1(password)
+ sha.update(salt)
+
+ return digest == sha.digest()
+
+
+def make_secret(password):
+ """
+ Encodes the given password as a base64 SSHA hash+salt buffer
+ """
+ salt = os.urandom(4)
+
+ # hash the password and append the salt
+ sha = hashlib.sha1(password)
+ sha.update(salt)
+
+ # create a base64 encoded string of the concatenated digest + salt
+ digest_salt_b64 = '{}{}'.format(sha.digest(), salt).encode('base64').strip()
+
+ # now tag the digest above with the {SSHA} tag
+ tagged_digest_salt = '{{SSHA}}{}'.format(digest_salt_b64)
+
+ return tagged_digest_salt
+
+
+if __name__ == '__main__':
+ if len(sys.argv) > 1:
+ print(make_secret(sys.argv[1]))
+ else:
+ # buffer straight out of OpenLDAP
+ ldap_buf = 'e1NTSEF9VGY1dVFxUkl0VzV2NGowV0RNNXczY2dJd2ZLS0FUcFg='
+ print 'ldap buffer result: {}'.format(check_password(ldap_buf, 'foobar'))
+
+ # check that make_secret() above can properly encode
+ print 'checking make_secret: {}'.format(check_password(make_secret('foobar'), 'foobar'))