[perso/Immae/Config/Nix.git] / wip-openldap-static / openldap_passwd.py

#!/usr/bin/env python
"""
http://www.openldap.org/faq/data/cache/347.html

As seen working on Ubuntu 12.04 with OpenLDAP 2.4.28-1.1ubuntu4

Author: Roberto Aguilar <roberto@baremetal.io>
"""
import hashlib
import os
import base64


def check_password(tagged_digest_salt, password):
    digest_salt_b64 = tagged_digest_salt.encode('utf-8')[6:]
    digest_salt = base64.decodebytes(digest_salt_b64)
    digest = digest_salt[:20]
    salt = digest_salt[20:]
    print(len(digest))
    print(salt)

    sha = hashlib.sha1(password.encode('utf-8'))
    sha.update(salt)

    return digest == sha.digest()


def make_secret(password):
    """
    Encodes the given password as a base64 SSHA hash+salt buffer
    """
    salt = os.urandom(4)

    # hash the password and append the salt
    sha = hashlib.sha1(password.encode('utf-8'))
    sha.update(salt)

    # create a base64 encoded string of the concatenated digest + salt
    digest_salt_b64 = base64.b64encode(sha.digest() + salt).decode()

    # now tag the digest above with the {SSHA} tag
    tagged_digest_salt = '{{SSHA}}{}'.format(digest_salt_b64)

    return tagged_digest_salt


if __name__ == '__main__':
    # buffer straight out of OpenLDAP
    ldap_buf = '{SSHA}n8qRdZpyk5Ayb8PGWfFzT8vcNpGR4ebQ'
    password = "riefCutBisnumadNie"
    print( 'ldap buffer result: {}'.format(check_password(ldap_buf, password)))

    # check that make_secret() above can properly encode
    print( 'checking make_secret: {}'.format(check_password(make_secret(password), password)))
Commit	Line	Data
28e86f33 IB	1	#!/usr/bin/env python
	2	"""
	3	http://www.openldap.org/faq/data/cache/347.html
	4
	5	As seen working on Ubuntu 12.04 with OpenLDAP 2.4.28-1.1ubuntu4
	6
	7	Author: Roberto Aguilar <roberto@baremetal.io>
	8	"""
	9	import hashlib
	10	import os
	11	import base64
	12
	13
	14	def check_password(tagged_digest_salt, password):
	15	digest_salt_b64 = tagged_digest_salt.encode('utf-8')[6:]
	16	digest_salt = base64.decodebytes(digest_salt_b64)
	17	digest = digest_salt[:20]
	18	salt = digest_salt[20:]
	19	print(len(digest))
	20	print(salt)
	21
	22	sha = hashlib.sha1(password.encode('utf-8'))
	23	sha.update(salt)
	24
	25	return digest == sha.digest()
	26
	27
	28	def make_secret(password):
	29	"""
	30	Encodes the given password as a base64 SSHA hash+salt buffer
	31	"""
	32	salt = os.urandom(4)
	33
	34	# hash the password and append the salt
	35	sha = hashlib.sha1(password.encode('utf-8'))
	36	sha.update(salt)
	37
	38	# create a base64 encoded string of the concatenated digest + salt
	39	digest_salt_b64 = base64.b64encode(sha.digest() + salt).decode()
	40
	41	# now tag the digest above with the {SSHA} tag
	42	tagged_digest_salt = '{{SSHA}}{}'.format(digest_salt_b64)
	43
	44	return tagged_digest_salt
	45
	46
	47	if __name__ == '__main__':
	48	# buffer straight out of OpenLDAP
	49	ldap_buf = '{SSHA}n8qRdZpyk5Ayb8PGWfFzT8vcNpGR4ebQ'
	50	password = "riefCutBisnumadNie"
	51	print( 'ldap buffer result: {}'.format(check_password(ldap_buf, password)))
	52
	53	# check that make_secret() above can properly encode
	54	print( 'checking make_secret: {}'.format(check_password(make_secret(password), password)))