I am setting up openLDAP for one of my Java applications. Usernames and passwords are stored in openLDAP and users are able to update their passwords via the application (using the javax.naming.directory API'). I imported our users from our existing Sun Directory Server into openLDAP. Import was successfull and passwords were encrypted in SSHA format. I noticed that when i update a password from the application, it stores it in 'Plain Text' format. I can unhide the password when i view it via Apache Directory Studio. A lot of googling later, i tried setting the "password-hash {SSHA}" in the slapd.conf file and that didn't help me either. I am on a windows environment. I am passing the password to openLDAP in plain text format. There is no encryption going on in the code. I know i can encrypt it in the application but i would prefer openLDAP to do it for me. Please let me know if i can do anything on the openLDAP side.
This is the JAVA code i use today to modify passwords. This has been working fine in our existing environment for the past 7 years.
ModificationItem[] newAttribs = new ModificationItem[1]; Attribute passwordAttrib = new BasicAttribute(DirectoryConstants.USER_PASSWORD, password); ModificationItem passwordItem = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, passwordAttrib); newAttribs[0] = passwordItem;
..... DirContext ctx = this.getContext(); ctx.modifyAttributes( DirectoryConstants.USER_UID + "=" + userId + "," + ou, newAttribs);
On 04/09/13 09:07 -0400, Derryl Varghese wrote:
I am setting up openLDAP for one of my Java applications. Usernames and passwords are stored in openLDAP and users are able to update their passwords via the application (using the javax.naming.directory API'). I imported our users from our existing Sun Directory Server into openLDAP. Import was successfull and passwords were encrypted in SSHA format. I noticed that when i update a password from the application, it stores it in 'Plain Text' format. I can unhide the password when i view it via Apache Directory Studio. A lot of googling later, i tried setting the "password-hash {SSHA}" in the slapd.conf file and that didn't help me either. I am on a windows environment. I am passing the password to openLDAP in plain text format. There is no encryption going on in the code. I know i can encrypt it in the application but i would prefer openLDAP to do it for me. Please let me know if i can do anything on the openLDAP side.
This is the JAVA code i use today to modify passwords. This has been working fine in our existing environment for the past 7 years.
ModificationItem[] newAttribs = new ModificationItem[1]; Attribute passwordAttrib = new BasicAttribute(DirectoryConstants.USER_PASSWORD, password); ModificationItem passwordItem = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, passwordAttrib); newAttribs[0] = passwordItem;
..... DirContext ctx = this.getContext(); ctx.modifyAttributes( DirectoryConstants.USER_UID + "=" + userId + ","
- ou, newAttribs);
If your application supports the password extended operation, slapd will hash passwords on the fly according to your password-hash configuration.
See slapo-ppolicy(5) and slapo-constraint(5) for ways to restrict what can be written. With slapd.access(5) you can restrict a user's ability to read the userPassword attribute.
--On Tuesday, April 09, 2013 8:56 AM -0500 Dan White dwhite@olp.net wrote:
On 04/09/13 09:07 -0400, Derryl Varghese wrote:
I am setting up openLDAP for one of my Java applications. Usernames and passwords are stored in openLDAP and users are able to update their passwords via the application (using the javax.naming.directory API'). I imported our users from our existing Sun Directory Server into openLDAP. Import was successfull and passwords were encrypted in SSHA format. I noticed that when i update a password from the application, it stores it in 'Plain Text' format. I can unhide the password when i view it via Apache Directory Studio. A lot of googling later, i tried setting the "password-hash {SSHA}" in the slapd.conf file and that didn't help me either. I am on a windows environment. I am passing the password to openLDAP in plain text format. There is no encryption going on in the code. I know i can encrypt it in the application but i would prefer openLDAP to do it for me. Please let me know if i can do anything on the openLDAP side.
This is the JAVA code i use today to modify passwords. This has been working fine in our existing environment for the past 7 years.
ModificationItem[] newAttribs = new ModificationItem[1]; Attribute passwordAttrib = new BasicAttribute(DirectoryConstants.USER_PASSWORD, password); ModificationItem passwordItem = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, passwordAttrib); newAttribs[0] = passwordItem;
..... DirContext ctx = this.getContext(); ctx.modifyAttributes( DirectoryConstants.USER_UID + "=" + userId + ","
- ou, newAttribs);
If your application supports the password extended operation, slapd will hash passwords on the fly according to your password-hash configuration.
I would also *strongly* advise using the unboundID SDK if you are going to be using Java to talk to LDAP.
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
Derryl Varghese wrote:
I am setting up openLDAP for one of my Java applications. Usernames and passwords are stored in openLDAP and users are able to update their passwords via the application (using the javax.naming.directory API'). I imported our users from our existing Sun Directory Server into openLDAP. Import was successfull and passwords were encrypted in SSHA format. I noticed that when i update a password from the application, it stores it in 'Plain Text' format. I can unhide the password when i view it via Apache Directory Studio. A lot of googling later, i tried setting the "password-hash {SSHA}" in the slapd.conf file and that didn't help me either. I am on a windows environment. I am passing the password to openLDAP in plain text format. There is no encryption going on in the code. I know i can encrypt it in the application but i would prefer openLDAP to do it for me. Please let me know if i can do anything on the openLDAP side.
This is the JAVA code i use today to modify passwords. This has been working fine in our existing environment for the past 7 years.
|ModificationItem[] newAttribs = new ModificationItem[1]; Attribute passwordAttrib = new BasicAttribute(DirectoryConstants.USER_PASSWORD, password); ModificationItem passwordItem = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, passwordAttrib); newAttribs[0] = passwordItem;
..... DirContext ctx = this.getContext(); ctx.modifyAttributes( DirectoryConstants.USER_UID + "=" + userId + "," + ou, newAttribs);|
If you send a clear-text password value when modifying 'userPassword' it will be clear-text.
Several solutions:
1. Set "password-hash {SSHA}" in the slapd.conf and change password via LDAP Modify Extended Operation (RFC 3062).
2. Generate hashed userPassword value at the client side.
3. Use overlay slapo-ppolicy and set ppolicy_hash_cleartext (but read warnings in man page before).
Ciao, Michael.
Hashing the password on the client side (using Jasypt) helped. Looks like i can look at unboundID as suggested to do the password modify extended operation. I dont know how to do this using the javax.naming package. unboundid SDK looks easier. Thanks!!
On Tue, Apr 9, 2013 at 12:29 PM, Michael Ströder michael@stroeder.comwrote:
Derryl Varghese wrote:
I am setting up openLDAP for one of my Java applications. Usernames and passwords are stored in openLDAP and users are able to update their
passwords
via the application (using the javax.naming.directory API'). I imported
our
users from our existing Sun Directory Server into openLDAP. Import was successfull and passwords were encrypted in SSHA format. I noticed that
when i
update a password from the application, it stores it in 'Plain Text'
format. I
can unhide the password when i view it via Apache Directory Studio. A
lot of
googling later, i tried setting the "password-hash {SSHA}" in the
slapd.conf
file and that didn't help me either. I am on a windows environment. I am passing the password to openLDAP in plain text format. There is no
encryption
going on in the code. I know i can encrypt it in the application but i
would
prefer openLDAP to do it for me. Please let me know if i can do anything
on
the openLDAP side.
This is the JAVA code i use today to modify passwords. This has been
working
fine in our existing environment for the past 7 years.
|ModificationItem[] newAttribs = new ModificationItem[1]; Attribute passwordAttrib = new
BasicAttribute(DirectoryConstants.USER_PASSWORD, password);
ModificationItem passwordItem = new
ModificationItem(DirContext.REPLACE_ATTRIBUTE, passwordAttrib);
newAttribs[0] = passwordItem;
..... DirContext ctx = this.getContext(); ctx.modifyAttributes( DirectoryConstants.USER_UID + "=" + userId + "," +
ou, newAttribs);|
If you send a clear-text password value when modifying 'userPassword' it will be clear-text.
Several solutions:
- Set "password-hash {SSHA}" in the slapd.conf and change password via
LDAP Modify Extended Operation (RFC 3062).
Generate hashed userPassword value at the client side.
Use overlay slapo-ppolicy and set ppolicy_hash_cleartext (but read
warnings in man page before).
Ciao, Michael.
openldap-technical@openldap.org
-
Dan White -
Derryl Varghese -
Michael Ströder -
Quanah Gibson-Mount