[Freeipa-users] Possible to extract password of ldap

[Martin Kosek]

On 08/01/2014 08:23 AM, barrykfl at gmail.com wrote:
> Hi :
> 
> Is it possible to read clear text of password of ipa users by admin ?

No. Admin can't even read the hash

# ldapsearch -Y GSSAPI -b
uid=fbar,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com uid
userPassword
SASL/GSSAPI authentication started
SASL username: admin at IDM.LAB.BOS.REDHAT.COM
SASL SSF: 56
SASL data security layer installed.
...
# fbar, users, accounts, idm.lab.bos.redhat.com
dn: uid=fbar,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
uid: fbar
...

Directory Manager can read the user password hash:

# ldapsearch -D "cn=Directory Manager" -x -W -b
uid=fbar,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com uid
userPassword
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <uid=fbar,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com>
with scope subtree
# filter: (objectclass=*)
# requesting: uid userPassword
#

# fbar, users, accounts, idm.lab.bos.redhat.com
dn: uid=fbar,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
uid: fbar
userPassword:: e1NTSEF9Vnp6VDdBbDlQUVMrUHJTK1NsNnNlN1pNYU5oRnRxT2J2L3dtNUE9PQ=
 =

# echo e1NTSEF9Vnp6VDdBbDlQUVMrUHJTK1NsNnNlN1pNYU5oRnRxT2J2L3dtNUE9PQ== |
base64 --decode
{SSHA}VzzT7Al9PQS+PrS+Sl6se7ZMaNhFtqObv/wm5A==

That's all, no clear passwords - by design.

> I m facing the issue of half  rollout as half vol.of  users changed
> password already.
> 
> And if i deploy and reset all password then it may make issue for this half
> 
> and we dont have records which user password sent .

I am not sure if I understand the question, but if your users have problems
with their passwords, you can administratively reset them and send the new ones
to them (they will be then forced to set their own
(http://www.freeipa.org/page/New_Passwords_Expired)).

Martin