5

I'm working with an existing database where passwords are hashed like this: 

DBMS_UTILITY.GET_HASH_VALUE(the_username || the_password, 1000000000, 1073741824)

I know that this is bad for various reasons (not a proper cryptographically safe hash and the algorithm oracle uses may change between versions). But that database exists and it's unlikely that we can get them to change this since they have lots of users and cannot simply switch to a proper hashing algorithm without having each of them re-enter or reset their password.

Now I need to use this database for LDAP authentication (based on OpenLDAP). Unfortunately there is no way to make OpenLDAP pass the plaintext password to the database (where I could then simply call the hashing function on the plaintext password). However, modifying the LDAP client would be possible, so if I could create the hash there everything would be fine.

I'd rather avoid connecting to the Oracle database to do this since that would require the Oracle client, database login data, etc. on that machine, too. Therefore I wonder if there is any information about the algorithm used by GET_HASH_VALUE() available. I couldn't find anything on Google but maybe it's buried between all the somewhat unrelated results... In case the algorithm changed recently, the server version is 11.2.0.3.0.

Mark Stewart
1,1701 gold badge13 silver badges32 bronze badges
asked Jan 10, 2014 at 16:23
7
  • I can't find anything that says it's anything other than proprietary ... Commented Jan 10, 2014 at 16:54
  • 4
    Have you looked into ass-Through authentication?. Oracle would need to work as a sasl validator. Commented Jan 12, 2014 at 21:51
  • Ass-Through authentication.. :D But thanks, that looks really interesting. I guess I need to implement the SASL part on my own? Commented Jan 12, 2014 at 22:30
  • If you want to see the code of this package, you can always unwrap it. for example UnwrapIt Commented Jan 13, 2014 at 8:34
  • @rvheddeg: I don't think the code is available... I looked at the all_source rows for dbms_utility and all I found was this: gist.github.com/ThiefMaster/f0b818f4d4514332e557 - I'm not familiar with Oracle but it looks very much like a prototype for a function defined somewhere else. Commented Jan 13, 2014 at 10:37

1 Answer 1

1

You cannot reverse DBMS_UTILITY.GET_HASH_VALUE. It is simply not possible.

Your problem is different: you have to identify an user thought an compliant LDAP directory (like OpenLDAP). Look for Enterprise Users or LDAP authtication in the Oracle documentation and you will find all you need ...

answered Jul 14, 2014 at 14:48

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.