Commits

Steven Kryskalla committed dd303fe

fix LDAP password validation for certain users

Comments (0)

Files changed (1)

solace/_ldap_auth.py

 import ldap as LDAP
 
 from base64 import decodestring as decode
+import binascii
 import hashlib
 
 def get_ldap_conn(server_uri, bind_user_dn=None, bind_pass=None):
         raise ValueError("Found more than one user for LDAP designated name 'uid=%s': %s" % (uid, repr(result)))
     return result[0]
 
-def validate_ssha_password(ssha_hash, password):
-    """Validates the given plaintext `password` against an SSHA password hash from LDAP."""
-    challenge_bytes = decode(ssha_hash[6:])
+def validate_ssha_password(ssha_password, password):
+    """Validates the given plaintext `password` against an SSHA password hash from LDAP. Falls back to plaintext comparison if `ssha_password` doesn't look encoded."""
+    if not ssha_password.startswith("{SSHA}"):
+        return ssha_password == password
+    challenge_bytes = decode(ssha_password[6:])
     digest = challenge_bytes[:20]
     salt = challenge_bytes[20:]
     hr = hashlib.sha1(password)