Team, I looking to replace RDBMS with openldap as datastore for one of the product. One blocker we have is handling the password migration.
The password is stored in hashed format in RDBMS. However, I am not able to get the password migrated.
My goal is to migrate the data from RDBMS to OpenLDAP but without asking the end user to reset or change their password post the migration.
Question:
1. Do we have any way to intercept the ldap bind verification and put my own logic? 2. Do we have any way to modify or customize the password hash calculation that is used by opendlap during LDAP bind. 3. Any other suggestion?
Thanks Param
--On Wednesday, November 4, 2020 3:35 AM +0000 "Thangavel, Parameswaran" Parameswaran.Thangavel@rsa.com wrote:
Team,
I looking to replace RDBMS with openldap as datastore for one of the product. One blocker we have is handling the password migration.
The password is stored in hashed format in RDBMS. However, I am not able to get the password migrated.
What password hash is being used by the RDBMS?
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
We hash at the application side (java) before persisting it into the table. We use SSHA256. At high level below is the pseudo code of hashing.
========================= //Generate salt Generate 5 byte salt
//Add salt and password to message digest instance Get Message Digest instance messageDigest.update(salt); messageDigest.update(password.getBytes());
//hash the content byte[] hashedText = new byte[32+salt_length]; messageDigest.digest(hashedText, 0, 32);
// append the salt to the hashed text System.arraycopy(salt, 0, hashedText, len, saltLength);
Store above byte[] in base64 format in RDBMS
================================= -----Original Message----- From: Quanah Gibson-Mount quanah@symas.com Sent: Wednesday, November 4, 2020 9:32 PM To: Thangavel, Parameswaran; openldap-technical@openldap.org Subject: Re: Migration of Password Hash from RDBMs
[EXTERNAL EMAIL]
--On Wednesday, November 4, 2020 3:35 AM +0000 "Thangavel, Parameswaran" Parameswaran.Thangavel@rsa.com wrote:
Team,
I looking to replace RDBMS with openldap as datastore for one of the product. One blocker we have is handling the password migration.
The password is stored in hashed format in RDBMS. However, I am not able to get the password migrated.
What password hash is being used by the RDBMS?
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
--On Wednesday, November 4, 2020 4:32 PM +0000 "Thangavel, Parameswaran" Parameswaran.Thangavel@rsa.com wrote:
We hash at the application side (java) before persisting it into the table. We use SSHA256. At high level below is the pseudo code of hashing.
With OpenLDAP, you should let the LDAP server do the hashing rather than some external application, and ensure that an LDAPv3 Password modify extended operation is being used.
I would suggest loading the pw-sha2 contrib module as a part of your OpenLDAP configuration and seeing if it can work with the hashes created by your Java application.
I don't know whose OpenLDAP binary build you're using so it's difficult to say much beyond that, but the pw-sha2 module is generally included with RH, Debian, and Ubuntu builds of OpenLDAP.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
openldap-technical@openldap.org
-
Quanah Gibson-Mount -
Thangavel, Parameswaran