Thursday, December 08, 2005

Solaris Enterprise System DS Unicode Handling

How Solaris Enterprise System DS handle Unicode Character

DS follows LDAP standard schema,

attributeTypes=( 2.5.4.35 NAME 'userPassword'
DESC 'Standard LDAP attribute type
' EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128}
X-ORIGIN 'RFC 2256' )

According to RFC 2256, "Passwords are stored
using an Octet String syntax and are not encrypted.
Transfer of cleartext passwords are strongly
discouraged where the underlying transport service
cannot guarantee confidentiality and may
result in disclosure of the password to
unauthorized parties. "

This is how Solaris Enterprise System DS
works on userPassword:

Identifies the entry's password and encryption
method in the following format:

{encryption method}encrypted password

Syntax:
Binary, multi-valued.*




uid=test,ou=people,dc=sun,dc=com
objectClass=person
objectClass=organizationalPerson
objectClass=inetuser
objectClass=inetOrgPerson
*userPassword={SSHA}yG/3f2DJzg8jdc8gqAnqoPXqwIjoPzAKsToNcA==*

(3) Second, let's study LDAP schema cipher used
by Solaris Enterprise System DS

cn=Password Storage Schemes,cn=plugins, cn=config
objectClass=top
objectClass=nsContainer
cn=Password Storage Schemes

cn=CLEAR,cn=Password Storage Schemes,cn=plugins,cn=config
objectClass=top
objectClass=nsSlapdPlugin
objectClass=ds-signedPlugin
cn=CLEAR
nsslapd-pluginPath=/var/opt/mps/serverroot/lib/pwdstorage-plugin.so
nsslapd-pluginInitfunc=clear_pwd_storage_scheme_init
nsslapd-pluginType=pwdstoragescheme
nsslapd-pluginEnabled=on
nsslapd-pluginId=clear-password-storage-scheme
nsslapd-pluginVersion=5.2_Patch_4
nsslapd-pluginVendor=Sun Microsystems, Inc.
nsslapd-pluginDescription=No encryption (CLEAR)
ds-pluginSignatureState=valid signature

cn=CRYPT,cn=Password Storage Schemes,cn=plugins,cn=config
objectClass=top
objectClass=nsSlapdPlugin
objectClass=ds-signedPlugin
cn=CRYPT
nsslapd-pluginPath=/var/opt/mps/serverroot/lib/pwdstorage-plugin.so
nsslapd-pluginInitfunc=crypt_pwd_storage_scheme_init
nsslapd-pluginType=pwdstoragescheme
nsslapd-pluginEnabled=on
nsslapd-pluginId=crypt-password-storage-scheme
nsslapd-pluginVersion=5.2_Patch_4
nsslapd-pluginVendor=Sun Microsystems, Inc.
nsslapd-pluginDescription=Unix crypt algorithm (CRYPT)
ds-pluginSignatureState=valid signature

cn=DES,cn=Password Storage Schemes,cn=plugins,cn=config
nsslapd-pluginPath=/var/opt/mps/serverroot/lib/des-plugin.so
nsslapd-pluginInitfunc=des_init
nsslapd-pluginType=reverpwdstoragescheme
nsslapd-pluginEnabled=on
nsslapd-pluginarg0=nsmultiplexorcredentials
nsslapd-pluginarg1=nsds5ReplicaCredentials
nsslapd-pluginarg2=dsKeyDBPwd
nsslapd-pluginId=des-storage-scheme
nsslapd-pluginVersion=5.2_Patch_4
nsslapd-pluginVendor=Sun Microsystems, Inc.
nsslapd-pluginDescription=DES storage scheme plugin
ds-pluginSignatureState=valid signature

cn=NS-MTA-MD5,cn=Password Storage Schemes,cn=plugins,cn=config
objectClass=top
objectClass=nsSlapdPlugin
objectClass=ds-signedPlugin
cn=NS-MTA-MD5
nsslapd-pluginPath=/var/opt/mps/serverroot/lib/pwdstorage-plugin.so
nsslapd-pluginInitfunc=ns_mta_md5_pwd_storage_scheme_init
nsslapd-pluginType=pwdstoragescheme
nsslapd-pluginEnabled=on
nsslapd-pluginId=NS-MTA-MD5-password-storage-scheme
nsslapd-pluginVersion=5.2_Patch_4
nsslapd-pluginVendor=Sun Microsystems, Inc.
nsslapd-pluginDescription=Netscape MD5 (NS-MTA-MD5)
ds-pluginSignatureState=valid signature

cn=SHA,cn=Password Storage Schemes,cn=plugins,cn=config
objectClass=top
objectClass=nsSlapdPlugin
objectClass=ds-signedPlugin
cn=SHA
nsslapd-pluginPath=/var/opt/mps/serverroot/lib/pwdstorage-plugin.so
nsslapd-pluginInitfunc=sha_pwd_storage_scheme_init
nsslapd-pluginType=pwdstoragescheme
nsslapd-pluginEnabled=on
nsslapd-pluginId=sha-password-storage-scheme
nsslapd-pluginVersion=5.2_Patch_4
nsslapd-pluginVendor=Sun Microsystems, Inc.
nsslapd-pluginDescription=Secure Hashing Algorithm (SHA)
ds-pluginSignatureState=valid signature

cn=SSHA,cn=Password Storage Schemes,cn=plugins,cn=config
objectClass=top
objectClass=nsSlapdPlugin
objectClass=ds-signedPlugin
cn=SSHA
nsslapd-pluginPath=/var/opt/mps/serverroot/lib/pwdstorage-plugin.so
nsslapd-pluginInitfunc=ssha_pwd_storage_scheme_init
nsslapd-pluginType=pwdstoragescheme
nsslapd-pluginEnabled=on
nsslapd-pluginId=ssha-password-storage-scheme
nsslapd-pluginVersion=5.2_Patch_4
nsslapd-pluginVendor=Sun Microsystems, Inc.
nsslapd-pluginDescription=Salted Secure Hashing Algorithm (SSHA)
ds-pluginSignatureState=valid signature

(3) DS does support UTF-8 encoded ASCII for
further oneway hash. Cipher are defined
as the above storage schema such as SSHA

(4) It requires LDAP client does UTF-8 encoding That's why
AM loves Encoding with XML instances

No comments: