The Solaris 10 LDAP client stores its credentials in the file /var/ldap/ldap_client_cred
. The password is hashed using NS1 format. The correct hash for your password is created for you when you use ldapclient to generate the configuration but if you simply wish to change the credentials without running that tool you have to jump through a few hoops.
One suggested solution is to find a Solaris 8 system and use the LDAP configuration tools from there, as one option allows you to dump a profile to stdout without applying it. This is a bit of a hassle if you have a Solaris 8 system and not much use if you don’t.
Now that Solaris is Open Source it’s much easier to create an NS1 hash. We can build our own tool straight form the horse’s mouth.
libsldap has the code we need. At time of writing it’s available from the OpenSolaris project. Download the three files ns_internal.h
, ns_sldap.h
and ns_crypt.c
. On a Solaris 10 system the ns_crypt.c
file can be compiled without any changes.
$ gcc -I . -c ns_crypt.c
On Linux we can make a few tweaks to the code in order to compile it.
Now save the following as main.c
.
#include "ns_sldap.h"
#include "ns_internal.h"
static int is_cleartext(const char *pwd) {
return strncmp(pwd, CRYPTMARK, strlen(CRYPTMARK));
}
int main(int argc, char **argv) {
if (argc == 1) {
fprintf(stderr, "Usage: ns1 <hash>\n");
fprintf(stderr, "Usage: ns1 <plaintext>\n");
exit(1);
}
if (is_cleartext(argv[1])) printf("%s\n", evalue(argv[1]));
else printf("%s\n", dvalue(argv[1]));
exit(0);
}
Compile ns1.c
:
$ gcc -I . -c ns1.c
And finally link the two object files.
$ gcc -o ns1 ns1.o ns_crypt.o
You may need to add -lcrypt
to the above on Linux.
With the tool we just compiled we can make some NS1 hashes.
$ ./ns1 my_secret_password
{NS1}c2ab9ff37b69c4b5a665a2b15d003bba0779
$ ./ns1 {NS1}c2ab9ff37b69c4b5a665a2b15d003bba0779
my_secret_password