Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Python hashing and test functions for user passwords stored in OpenLDAP.
#!/usr/bin/env python
As seen working on Ubuntu 12.04 with OpenLDAP 2.4.28-1.1ubuntu4
Author: Roberto Aguilar <>
import hashlib
import os
def check_password(tagged_digest_salt, password):
Checks the OpenLDAP tagged digest against the given password
# the entire payload is base64-encoded
assert tagged_digest_salt.startswith('{SSHA}')
# strip off the hash label
digest_salt_b64 = tagged_digest_salt[6:]
# the password+salt buffer is also base64-encoded. decode and split the
# digest and salt
digest_salt = digest_salt_b64.decode('base64')
digest = digest_salt[:20]
salt = digest_salt[20:]
sha = hashlib.sha1(password)
return digest == sha.digest()
def make_secret(password):
Encodes the given password as a base64 SSHA hash+salt buffer
salt = os.urandom(4)
# hash the password and append the salt
sha = hashlib.sha1(password)
# create a base64 encoded string of the concatenated digest + salt
digest_salt_b64 = '{}{}'.format(sha.digest(), salt).encode('base64').strip()
# now tag the digest above with the {SSHA} tag
tagged_digest_salt = '{{SSHA}}{}'.format(digest_salt_b64)
return tagged_digest_salt
if __name__ == '__main__':
if len(sys.argv) > 1:
# buffer straight out of OpenLDAP
ldap_buf = 'e1NTSEF9VGY1dVFxUkl0VzV2NGowV0RNNXczY2dJd2ZLS0FUcFg='
print 'ldap buffer result: {}'.format(check_password(ldap_buf, 'foobar'))
# check that make_secret() above can properly encode
print 'checking make_secret: {}'.format(check_password(make_secret('foobar'), 'foobar'))

This comment has been minimized.

Copy link
Owner Author

shtrom commented May 21, 2016

$ ./ correcthorsebatterystaple
$ ./ correcthorsebatterystaple
$ ./ correcthorsebatterystaple
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.