I’m happy to see version 2.0 of Apache Directory Studio was recently released. This new version adds support for a feature I use all the time; verifying passwords and BINDing as users. Version 2.0 now supports Salted SSH algorithms:

 

In previous versions, passwords stored with SSHA-512, for example, showed up as “unsupported hash method” and you were unable to Verify or Bind them. What does Verify and Bind do?

Verify – Performs a COMPARE operation and see if the value of the “userPassword” attribute matches what you entered.
Bind – This actually performs a BIND against the directory with the password you entered.

Why would these ever be different? Well, you could have a setup on your directory where BIND operations are routed elsewhere. Maybe you’re using a Proxy ldap server, or Oracle Virtual Directory or something else. For example, OID (Oracle Internet Directory) has a feature called 3rd Party Authentication. You can configure this OID plugin to do BINDs against an Active Directory instance for example. This means you can have a user in OID with a userPassword value of “oidPassword”, but his AD password is “adPass”. If you were to Verify his password in Apache Directory Studio with a value of “oidPassword” it would be successful; however, if you were to Bind, it would fail. Bind would work if you entered the AD password as OID actually forwards the BIND to AD.

This password verification/bind tool is super useful when setting up a new deployment and you’re trying to troubleshoot login issues. I find it much faster and easier than using the  ldapbind or ldapsearch command lines.

You can download Apache Directory Studio 2.0 here.