ssha, or salted sha is a password encryption method for LDAP, see the OpenLDAP Faq-O-Matic page for details.
To create an LDAP SSHA password entry in Tcl do something along the following lines:
package require sha1 proc ldapPasswordStringSSHA {clear salt} { # return ldap password string from clear, generated with SSHA set salted [sha1::sha1 -bin ${clear}${salt}] return [binary encode base64 ${salted}${salt}] }
Notes:
To create a random salt on *nix* like operating systems you can use the following:
proc createRandomSalt n { # return a random string with length n set fd [open /dev/random] set salt [read $fd $n] close $fd return $salt }
Notes:
To compare a password with its LDIF representation use the following:
proc matchLdapSshaPassword {ldif clear} { # decode ldif, get schema, encode clear with schema and compare set ldapPasswordString [binary decode base64 $ldif] lassign [split $ldapPasswordString \}] schema encodedPassword set schema [string range $schema 1 end] set salt "" switch -exact -- $schema { SSHA {set salt [string range [binary decode base64 $encodedPassword] end-3 end]} default { error "password schema not handled: $ldapPasswordString" } } return [expr {$ldapPasswordString eq [ldapPasswordStringSSHA $clear $schema]}] }
Notes:
Example:
LEG has wrapped up this code into a Tcl script. See his page for reference.