LEX Online Manual Content

• Introduction to LEX
  • First steps
    • License Splashscreen
    • ReadOnly PopUp
    • First LDAP Connection
  • LEX GUI Elements
    • The Treeview Panel
      • Reloading the Tree Structure
      • Hiding the Tree Structure
      • The currently selected Container
    • The Object List Panel
      • Reloading the Object List
      • Object List Scope
      • Object List Filter
      • Object Names Display
      • Object Attribute Columns
      • Sorting the Object List
      • Object Icons
    • The Attribute List Panel
      • Showing and Hiding the Attribute List
      • Attribute List Position
      • Refreshing the Attribute List Contents
      • Attribute List Filter
    • The Address Bar
    • The Command Button Bar
    • The Status Bar
    • The Attribute Window
      • Attribute Window Hotkeys
      • Attribute Window Command Buttons
      • Refreshing the Attribute Window Contents
      • Attribute Window Filter
      • Text Output
  • Command Line Parameters
• Command Buttons
  • Treeview Buttons
    • Expand/Collapse Tree Panel
    • Reload Directory Info
    • Reload Entire Directory Tree
    • Search
  • Object List Buttons
    • Expand/Collapse Tree Panel
    • Expand/Collapse Attribute List
    • Reload Object List
    • Go Up one Level
    • Show Objects in all Subcontainers
    • Create New Object
    • Delete Object
    • Show Friendly Object Names
    • Show Distinguished Name in Novell Notation
    • Show Hex Output for Hex Values
    • Set Object Filter
  • Attribute List Buttons
    • Toggle Attribute List Position
    • Reload Attribute Info
    • Add New Attribute
    • Add Attribute Element to an Array
    • Remove Attribute
    • Show only Attributes that have Values
    • Show Multivalued Attributes
    • Set Attribute List Filter
  • Attribute Window Buttons
    • Reload Attribute Info
    • Compare this Object with another
    • Add New Attribute
    • Add Attribute Element to an Array
    • Remove Attribute
    • Show only Attributes that have Values
    • Show Friendly Object Names
    • Show Distinguished Name in Novell Notation
    • Show Hex Output for Hex Values
    • Show Multivalued Attributes
    • Set Attribute List Filter
    • Show Attribute Names and Values
• Menu Help
  • Connection Menu
    • Connect
    • Save
    • New LEX
    • Disconnect
    • Connection Info
    • Attributes
    • RootDSE
    • Exit
  • Edit Menu
    • Copy Attribute Name
    • Copy Attribute Value
    • Paste Attribute
    • Search
    • Undelete
    • Set Password
    • Permissions
    • New Object
    • Delete Object
    • Move Object
    • Rename Object
    • Add New Attribute
    • Add Array Member
    • Remoe Attribute
    • Set empty Value
    • Quick Edit Value
    • Edit Attribute Value
  • View Menu
    • Set Attribute as List Column
    • Column Field Chooser
      • Object type
      • Date modified
      • Modifiers name
      • Date created
      • Creators Name
      • More
      • Load Column Set
      • Save Column Set
    • Filter Display for this Attribute
    • Jump to Object
    • Toolbars
      • Address Bar
      • Button Bar
      • Status Bar
    • Directory Tree
    • Attribute List
    • List Output Settings
      • Show Objects in all Subcontainers
      • Show Friendly Object Names
      • Show DNs in Novell Notation
      • Show Hex Output for Attributes with Hex Values
    • Attribute Output Settings
      • Show Hex Output for Attributes with Hex Values
      • Show only Attribute that have Values
      • Show Multivalued Attributes
    • Refresh
    • Reload Entire Tree
  • Favorites Menu
    • Add to Favorites
    • Organize Favorites
    • Sort by Name
  • Tools Menu
    • Use in Filter Factory
    • Select for Compare
    • Compare with...
    • Directory Export - Object List
    • Directory Export - Attribute List
    • Directory Import - LDIF
    • Filter Factory
    • TreeMap Factory
    • Observation Factory
    • Pipe Factory
    • Additional Infos/Tools
      • Resolve SID Attributes to Objects
      • Converter for numeric values
      • Converter for hex values
      • Converter for GUID values
      • Converter for SID values
    • Options
  • Help Menu
    • Index
    • Search
    • Online Support
    • Check for Updates
    • Activate existing License
    • About
• Application Options
  • General Tab
  • LDAP Settings Tab
  • Object Filter Tab
  • Attribute Filter Tab
  • Container Classes Tab
  • Attribute Syntaxes Tab
  • Linked Attributes Tab
  • Dialog Settings Tab
  • Colors Tab
• Application Hotkeys
• Connecting to LDAP Servers
  • The LDAP Connections Dialog
    • Server Tab
    • Advanced Tab
    • Attribute Filter Tab
    • Column Tabs
  • Connection Profiles
  • LDAPS / LDAP over SSL
• Working with LDAP Objects
  • Creating Directory Objects
  • Renaming Directory Objects
  • Moving Directory Objects
  • Deleting Directory Objects
  • Editing Multiple Objects
  • LDAP Object Classes
  • LDAP Attributes
    • Attribute Syntaxes
    • Attribute Editors
      • String Editor
      • Integer Editor
      • Boolean Editor
      • DN Editor
      • Generalized Timestring Editor
      • Binary / Hex Editor
      • Password Editor
      • Bitmap Editor
      • GUID Editor
      • Microsoft Security Descriptor Editor
      • Microsoft Access Control Entry Editor
      • Microsoft SID Editor
      • Microsoft Large Integer Editor
      • Microsoft Interval Editor
      • Microsoft Timestamp Editor
      • Microsoft DN with Binary Editor
      • Microsoft DN with String Editor
      • Novell Object ACL Editor
      • Novell Path Editor
      • Novell EMail Address Editor
      • Novell Timestamp Editor
      • Novell Backlink Editor
      • Novell Typed Name Editor
      • Flag Attribute Editor
    • Operational Attributes
    • Binary Attributes
    • Displaying Multivalued Attributes
    • Displaying Hex/Octetstring Attributes
    • Displaying DN Attributes
    • Displaying Unused Attributes
  • Undeleting Active Directory Objects
    • AD Tombstone Reanimation
    • AD Recycle Bin
  • Copy and Paste of Attribute Values
• Working with LDAP Directories
  • ReadOnly Mode
  • Directory Tree Caching
  • Container Class Evaluation
• Building LDAP Filters
  • LDAP Filter Syntax
  • The Filter Factory
  • The Filter Constructor
  • The Single Filter Editor
  • Famous Filters
• Searching The Directory
  • Search Results
  • Searching the Global Catalog in AD Environments
• Comparing Objects
  • Compare Window Hotkeys
  • Compare Window Command Buttons
• Exporting Directory Data
  • Exporting Object List Data
  • Exporting Attribute List Data
• Importing Directory Data
• Licensing Contract for Users

Editor for Password Attributes

This editor is used to show, edit or create LDAP password attributes:



In the top area of this dialog, you see the distinguished name and type icon for the object whose attribute your are editing. In the line beneath, the attribute name is shown.

Passwords are often stored in LDAP systems according to the rules outlined in RFC 2307 'An Approach for Using LDAP as a Network Information Service'. This document describes among other things how password can be stored in an LDAP attribute. Most generic LDAP directories like OpenLDAP, iPlanet, 389 Directory Server or DirX uses this password methods, only Active Directory uses other proprietary mechanisms to handle password information.

Passwords should never be stored in an attribute in clear text - in fact, most generic LDAP directories store an hash value of the password - in other words, a kind of encryption. Normally it should prevent any user who can read this value to re-calculate the original password, but it allows to check a password entered by the user in an authentication process.

Depending on the directory server, several different hash algorithms could be used. According to RFC 2307, the syntax of the hash value has to be '{HashAlgorithm}Hashvalue'. Only a few hash algorithms are used without indicating the algorithm name in curly brackets.

The LEX password editor can calculate hash values for you, if you want to set a new password for an object. You just have to enter the password in the New password text box. When you re-enter the same password in the Confirm password text box, the regarding hash value is calculated and shown in the Password value box.


Please note that not all of these algorithms are supported by all LDAP servers. If you use an algorithm which indicated in the hash value, you can use the In Uppercase option to choose how the algorithm label should be inserted. Oddly enough, some LDAP server enforces the label to be upper case, although the RFC document specify this to be in lower case.

• Plain Text: Obviously, this is not an hash algorithms. In fact, the password value will be shown and written in clear text. Many modern LDAP servers will convert a written clear text password automatically in a hash value when the store the attribute in the directory database.
  
  
• CRYPT: This is the Unix Crypt hash algorithm, based on DES (Data Encryption Standard) with a 2 byte salt. Because DES was defined already in 1973, this algorithm is considered not to be the strongest.
  
  
• MD5: The MD5 algorithm is a hash function with a 128 bit hash value. It was defined 1992 in the RFC 1321. MD5 is widely considered cryptographically broken and unsuitable for further use. There are many web sites where you can perform a rainbow table attack against an MD5 value in seconds - so you should not use this algorithm any more.
  
  
• SMD5: This is the salted version of the MD5 hash algorithm, so this is more secure than a pure MD5.
  
  
• SHA: This is the SHA-1 algorithm. SHA stands for Secure Hash Algorithm. It generates hash values 160 bit hash values. The modern SHA-2 algorithms (see below) are stronger, but the SHA-1 is more widely supported by LDAP servers.
  
  
• SSHA: This is the salted version of the SHA hash algorithm, so this is more secure than a pure SHA.
  
  
• SHA-256: This is the SHA-2 algorithm with a hash value length of 256 bit. SHA stands for Secure Hash Algorithm. The longer the hash value, the saver the algorithm - but it has to be supported by the regarding LDAP server also....
  
  
• SSHA-256: This is the salted version of the SHA-256 hash algorithm, so this is more secure than a pure SHA-256.
  
  
• SHA-384: This is the SHA-2 algorithm with a hash value length of 384 bit. SHA stands for Secure Hash Algorithm. The longer the hash value, the saver the algorithm - but it has to be supported by the regarding LDAP server also....
  
  
• SSHA-384: This is the salted version of the SHA-384 hash algorithm, so this is more secure than a pure SHA-384.
  
  
• SHA-512: This is the SHA-2 algorithm with a hash value length of 512 bit. SHA stands for Secure Hash Algorithm. The longer the hash value, the saver the algorithm - but it has to be supported by the regarding LDAP server also....
  
  
• SSHA-512: This is the salted version of the SHA-512 hash algorithm, so this is more secure than a pure SHA-512.
  
  
• Samba LM: This is the Microsoft Lan Manager hash algorithm which is used in the Samba specific attributes sambaLMPassword, lmPassword, sambaNTPassword and ntPassword. It is an DES (Data Encryption Standard) based algorithm, the hash value is a string which represents the hexadecimal hash value. Be aware that this algorithm can be easily cracked with different methods, so it's recommended to use the more modern Samba NTLM instead (if the regarding server supports it).
  
  
• Samba NTLM: This is the Microsoft Windows NT Lan Manager hash algorithm which is used in the Samba specific attributes sambaLMPassword, lmPassword, sambaNTPassword and ntPassword. It is based on an MD4, the hash value is a string which represents the hexadecimal hash value.
  

---

Salted hash algorithms

Many hash algorithms can be made stronger by adding a random value (the 'salt') to the original initial data which has to be encrypted/hashed. This additional value prevents the easy re-calculation of the initial data from the hash value, so it generally makes an hash algorithm stronger.

If you use a salted password hash algorithm like SMD5, SSHA, SSHA-256, SSHA-384 or SSHA-512, LEX generates a randomized salt value for each hash calculation. You cannot set the salt value manually, but you can decide how long this value should be. Just open the application option Tools - Options - Attribute Syntaxes for this:



The default salt length used by LEX is 8 bytes.

---

Editing the raw password data

If you opened a userPassword attribute with the password editor dialog, the regarding data is basically handled as binary data by the LDAP directory. You can display and edit the password data in it's binary form if you want: Just press on the Raw label in the bottom left corner of the dialog. The editor is switched to an binary editor then:

---

Checking the current directory password

If a password hash value is stored in an LDAP attribute, you normally cannot determine any more what the real password was. If you want to check if a hash value found in the directory corresponds to a certain password string, you can do the following:

1. Enter the password string you want to check against in the New password text box.
   
   
2. Re-enter this string in the Confirm password text box.
   
   
3. Press the Check against the current password button. LEX calculates the hash value according to the algorithm setting in the dialog. The calculated hash value is checked against the attribute content in the directory. Even hashes with random salt values can be checked. If the password matches with the directory value, the following message is shown:
   
   
   
   

---

When will the password editor will be used?

For the use of the password editor, LEX evaluate the attribute's name:

The password editor which assumes that the password attribute is basically a binary value is used whenever the attribute userPassword is accessed.

The password editor which assumes that the password attribute is basically a string value is used whenever the samba attributes sambaLMPassword, lmPassword, sambaNTPassword or ntPassword are accessed.