On Tue, Sep 29, 2015 at 09:31:20AM +0200, Matthias Apitz wrote:
I do not know (the Java classes have beed written by others) why we do not just doe bind, What what is wrong with our method.
It requires read access to the password hash, which is a security risk. Most LDAP deployments prevent *anyone* from reading password hashes (except for the replication user etc).
Hashing passwords and verifying them should be left to the LDAP server.
Note also that SSHA is very weak in the face of brute-force attacks. You should be trying to use one of the hash schemes that were designed specifically to protect passwords. BCRYPT is probably the best, but any of the Linux $1$, $6$, $2a$ schemes will give immensely more protection than plain SSHA.
This part is not below our control. The LDAP is managed by some customer and I *think* the use some Perl script to create the user credentials in LDAP, calculating tha SSHA hash in advance.
Advise them to create the entry without a password hash, then to set the password using the password-change extended operation.
See Net::LDAP::Extension::SetPassword for details.
Andrew