Configure Password Comparison with Hashed Passwords

Archived Documentation

This page documents Mideye Server version 5, which is no longer actively maintained. For current documentation, see Mideye Server v6.

Overview

Password comparison enables authentication against hashed passwords stored in Active Directory attributes instead of the standard password field. This is useful for scenarios where direct LDAP bind authentication isn’t available.

Supported hash algorithms:

• SHA (SHA-1)
• SSHA (Salted SHA)
• MD5
• SMD5 (Salted MD5)
• CRYPT (Unix crypt)

---

Password comparison feature is used to authenticate users against a hashed password that is stored in an optional attribute, rather than the standard password attribute, in the user repository. This feature is specifically designed to work with Microsoft Active Directory user repository.

The field containing the hashed password can be any one of the user attributes in Active Directory, and it is specified from Mideye Server. This attribute must contain the (case sensitive) hashed password, Base64 encoded as shown below: {HASH_TYPE}hashed_Password_Base64_Encoded.

An account with appropriate permissions for accessing Active Directory in order to retrieve user information (including the field containing the hashed password) is needed.

Note

When Password Comparison is used, Activate LDAP user locking feature will be enabled automatically and it is impossible to disable it. The reason is to prevent brute force attacks by locking the user in Mideye Server after a certain number of failed login attempts for a specified time. Max failed user attempts indicate the number of failed login attempts after which the user will be locked and the Number of minutes locked the duration for which the user will remain locked.

Supported Password Hashes

The supported password hashes are:

• SHA: SHA-1 hash algorithm
• SSHA: Salted SHA
• CRYPT: Unix crypt function
• MD5: MD5 hash algorithm
• SMD5: Salted MD5 algorithm

In order to produce valid password hashes, the plain text password must be UTF-8 encoded, and the hash must be Base 64 encoded, as explained in the following example.

Hashing Process

The hashing process is as follow:

• Encode the UTF-8 plain text password to a byte array
• Hash the byte array using one of the supported hash algorithms
• Encode the hash to Base 64 format
• Prepend the hash algorithm name placed between curly brackets to the result, for example, possible hashes of the password “password” are:
  • {SSHA}VtpoxGYLenxwGC88loHYDwb1SpqBbOb6c1OyZiyAQcgFYPPnqRFviA==
  • {SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g=
  • {CRYPT}aajfMKNH1hTm2
  • {MD5}X03MO1qnZdYdgyfeuILPmQ==
  • {SMD5}swXK27O85U86pZxk/sAN6nNhbHQ=

Note

The encoding used to produce the password hash and the one used by the RADIUS client must be the same. The same string encoded with different encodings may produce different byte arrays, resulting in different final hashes. So even if the password string is the same different encoding will prevent the correct validation.

Case Sensitivity

The hash type prefix is case sensitive:

Example	Result
{CRYPT}aajfMKNH1hTm2	✅ Valid
{crypt}aajfMKNH1hTm2	❌ Invalid

Usage Example

Prerequisites:

• LDAP server configured and working in Mideye Server
• User search working from the LDAP Server Configuration dialog
• Active Directory attribute selected for hashed password storage

Configuration steps:

1. Open Mideye Configuration Tool and navigate to LDAP Servers
2. Select your LDAP profile and click Edit
3. Go to the Authentication tab
4. In the Password Override field, enter the Active Directory attribute that will store the hashed passwords (e.g., physicalDeliveryOfficeName)
5. Configure other settings as needed:
   • Authentication type
   • Mobile number attribute
   • Token number attribute (if applicable)
6. Click Save to apply the configuration

Testing:

After configuration, perform a RADIUS authentication to verify the setup. Mideye Server will read the hashed password from the specified attribute and compare it against the password provided during authentication.