7:35 p.m.
Team,
I looking to replace RDBMS with openldap as datastore for one of the product. One blocker
we have is handling the password migration.
The password is stored in hashed format in RDBMS. However, I am not able to get the
password migrated.
My goal is to migrate the data from RDBMS to OpenLDAP but without asking the end user to
reset or change their password post the migration.
Question:
1. Do we have any way to intercept the ldap bind verification and put my own logic?
2. Do we have any way to modify or customize the password hash calculation that is used
by opendlap during LDAP bind.
3. Any other suggestion?
Thanks
Param
8:02 a.m.
--On Wednesday, November 4, 2020 3:35 AM +0000 "Thangavel, Parameswaran"
<Parameswaran.Thangavel(a)rsa.com> wrote:
Team,
I looking to replace RDBMS with openldap as datastore for one of the
product. One blocker we have is handling the password migration.
The password is stored in hashed format in RDBMS. However, I am not able
to get the password migrated.
What password hash is being used by the RDBMS?
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
8:32 a.m.
We hash at the application side (java) before persisting it into the table. We use
SSHA256. At high level below is the pseudo code of hashing.
=========================
//Generate salt
Generate 5 byte salt
//Add salt and password to message digest instance
Get Message Digest instance
messageDigest.update(salt);
messageDigest.update(password.getBytes());
//hash the content
byte[] hashedText = new byte[32+salt_length];
messageDigest.digest(hashedText, 0, 32);
// append the salt to the hashed text
System.arraycopy(salt, 0, hashedText, len, saltLength);
Store above byte[] in base64 format in RDBMS
=================================
-----Original Message-----
From: Quanah Gibson-Mount <quanah(a)symas.com>
Sent: Wednesday, November 4, 2020 9:32 PM
To: Thangavel, Parameswaran; openldap-technical(a)openldap.org
Subject: Re: Migration of Password Hash from RDBMs
[EXTERNAL EMAIL]
--On Wednesday, November 4, 2020 3:35 AM +0000 "Thangavel, Parameswaran"
<Parameswaran.Thangavel(a)rsa.com> wrote:
Team,
I looking to replace RDBMS with openldap as datastore for one of the
product. One blocker we have is handling the password migration.
The password is stored in hashed format in RDBMS. However, I am not
able to get the password migrated.
What password hash is being used by the RDBMS?
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
8:39 a.m.
--On Wednesday, November 4, 2020 4:32 PM +0000 "Thangavel, Parameswaran"
<Parameswaran.Thangavel(a)rsa.com> wrote:
We hash at the application side (java) before persisting it into the
table. We use SSHA256. At high level below is the pseudo code of hashing.
With OpenLDAP, you should let the LDAP server do the hashing rather than
some external application, and ensure that an LDAPv3 Password modify
extended operation is being used.
I would suggest loading the pw-sha2 contrib module as a part of your
OpenLDAP configuration and seeing if it can work with the hashes created by
your Java application.
I don't know whose OpenLDAP binary build you're using so it's difficult to
say much beyond that, but the pw-sha2 module is generally included with RH,
Debian, and Ubuntu builds of OpenLDAP.
Regards,
Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
1127
days inactive
1127
days old
openldap-technical@openldap.org
3 comments
2 participants
participants (2)
-
Quanah Gibson-Mount -
Thangavel, Parameswaran