Compare password to LDAP stored password

Question

I am creating a "change password" form where the user is required to enter the previous password first, then a new password (twice).

I should compare the entered "previous password" to the one already stored.

My web application uses an LDAP server to store user credentials. Password is apparently stored using SHA.

So what I do is get the previous password entered by the user, digest it using SHA1, then compare it.

 String oldPass = request.getParameter("oldpass");
 String enteredOldPass= App.getInstance().getCipher().cipher(oldPass);
            String ldapPassword= ctx.get("userpassword");

But this isn't working, because the passwords are different. When I store "test" in the LDAP I obtain {sha}qUqP5cyxm6YcTAhz05Hph5gvu9M= when calling .get("userPassword"), whilst I get a94a8fe5ccb19ba61c4c0873d391e987982fbbd3 when hashing "test" by myself.

What am I doing wrong here? It seems that a step is missing since my result is purely hex, while the one I get from the LDAP is ASCII. But I tried converting the string to hex (using string to hex online converters) but the result is still differnet.

Answer 1

you must convert to binary, then convert to base64. Try this:

echo -n "test" | sha1sum | awk '{print $1}' <br>

The result will be a94a8fe5ccb19ba61c4c0873d391e987982fbbd3

echo -n "test" | sha1sum | awk '{print $1}' | xxd -r -p | base64 

The result will be qUqP5cyxm6YcTAhz05Hph5gvu9M=

Answer 2

You don't do any of this.

• You attempt to rebind as the user with that password. It either succeeds or fails. That tells you whether it was right or wrong. The API and protocol and server will take care of any hashing required.
• Or, if you're using an LDAP server that supports the extended change-password operation, you provide the old and new passwords in the extended operation.