4 Replies Latest reply on Jun 16, 2008 5:08 PM by salaboy21

    Encrypted Passwords in LDAP

    kc5mzr

      In my LDAP server the userPassword attribute is encrypted looks like:

      dn: cn=Jim Yates,ou=userAccounts,dc=accuserverx,dc=com
      objectClass: accuserverxPerson
      uid: jyates
      sn: Yates
      userPassword: {CRYPT}VDtMsA.7lGcqY
      givenName: Jim
      cn: Jim Yates

      I can authenticate users with clear text stored in the userPassword attribute, but not the encrypted ones.
      I've looked at the wiki pages, but I can't figure out how to use the encrypted passwords. I'm using jsp's for most of my application, including the login with the j_security_check form.

      login-config.xml fragment

      <application-policy name="accuserverx-security">

      <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule"
      flag="required">
      <module-option name="java.naming.provider.url">
      ldap://10.5.80.50:389/
      </module-option>
      <module-option name="bindDN">cn=Manager,dc=accuserverx,dc=com</module-option>
      <module-option name="bindCredential">secret</module-option>
      <module-option name="baseCtxDN">ou=userAccounts,dc=accuserverx,dc=com</module-option>
      <module-option name="baseFilter">(uid={0})</module-option>
      <module-option name="rolesCtxDN">ou=Roles,dc=accuserverx,dc=com</module-option>
      <module-option name="roleFilter">(member={1})</module-option>
      <module-option name="roleAttributeID">cn</module-option>
      <module-option name="roleAttributeIsDN">true</module-option>
      <module-option name="roleNameAttributeID">cn</module-option>
      <module-option name="roleRecursion">-1</module-option>
      <module-option name="searchScope">ONELEVEL_SCOPE</module-option> </login-module>

      </application-policy>

      web.xml fragment

      <security-constraint>
      <web-resource-collection>
      <web-resource-name>accuserverx-security</web-resource-name>
      Require users to authenticate
      <url-pattern>*.jsp</url-pattern>
      <url-pattern>*.do</url-pattern>
      <http-method>POST</http-method>
      <http-method>GET</http-method>
      </web-resource-collection>
      <auth-constraint>
      Only allow Authenticated_users role
      <role-name>Managers</role-name>
      <role-name>Clerks</role-name>
      </auth-constraint>
      <user-data-constraint>
      Encryption is not required for the application in general.

      <transport-guarantee>NONE</transport-guarantee>
      </user-data-constraint>
      </security-constraint>
      <security-role>
      The role required to access restricted content
      <role-name>Managers</role-name>
      </security-role>
      <security-role>
      The role required to access restricted content
      <role-name>Clerks</role-name>
      </security-role>
      <login-config>
      <auth-method>FORM</auth-method>
      <form-login-config>
      <form-login-page>login.jsp</form-login-page>
      <form-error-page>login_error.html</form-error-page>
      </form-login-config>
      </login-config>

        • 1. Re: Encrypted Passwords in LDAP
          kc5mzr

          I added the following to login-config.xml
          <module-option name="hashAlgorithm">MD5</module-option>
          <module-option name="hashEncoding">base64</module-option>
          If I change my userPassword to {MD5}fGoYCzaJagqMAnh+6vsOTA==
          it wont work. If I remove the {MD5}, I can authenticate.

          Any ideas on how to solve this?

          • 2. Re: Encrypted Passwords in LDAP
            kc5mzr

            This has become a big issue now. Does anyone have a solution.

            • 3. Re: Encrypted Passwords in LDAP
              kc5mzr

              So nobody else has this issue? It's just me?

              • 4. Re: Encrypted Passwords in LDAP
                salaboy21

                yeap.. i have this issue.. i solve it for single sign on thru extending my org.jboss.security.auth.spi.LdapExtLoginModule and removing the {ALG} part to authenticate...

                This is a problem about compatibility in Directory Servers implementations... i work with open ldap and Open DS and both have diferences at this level...
                I hope it helps.. let me know if you need to do something more..