[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: openLDAP storing passwords in plain text



Hashing the password on the client side (using Jasypt) helped. Looks like i can look at unboundID as suggested to do the password modify extended operation. I dont know how to do this using the javax.naming package. unboundid SDK looks easier.  Thanks!!


On Tue, Apr 9, 2013 at 12:29 PM, Michael Ströder <michael@stroeder.com> wrote:
Derryl Varghese wrote:
> I am setting up openLDAP for one of my Java applications. Usernames and
> passwords are stored in openLDAP and users are able to update their passwords
> via the application (using the javax.naming.directory API'). I imported our
> users from our existing Sun Directory Server into openLDAP. Import was
> successfull and passwords were encrypted in SSHA format. I noticed that when i
> update a password from the application, it stores it in 'Plain Text' format. I
> can unhide the password when i view it via Apache Directory Studio. A lot of
> googling later, i tried setting the "password-hash {SSHA}" in the slapd.conf
> file and that didn't help me either. I am on a windows environment. I am
> passing the password to openLDAP in plain text format. There is no encryption
> going on in the code. I know i can encrypt it in the application but i would
> prefer openLDAP to do it for me. Please let me know if i can do anything on
> the openLDAP side.
>
> This is the JAVA code i use today to modify passwords. This has been working
> fine in our existing environment for the past 7 years.
>
> |ModificationItem[] newAttribs = new ModificationItem[1];
> Attribute passwordAttrib = new BasicAttribute(DirectoryConstants.USER_PASSWORD, password);
> ModificationItem passwordItem = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, passwordAttrib);
> newAttribs[0] = passwordItem;
>
> .....
> DirContext ctx = this.getContext();
> ctx.modifyAttributes( DirectoryConstants.USER_UID + "=" + userId + "," + ou, newAttribs);|

If you send a clear-text password value when modifying 'userPassword' it will
be clear-text.

Several solutions:

1. Set "password-hash {SSHA}" in the slapd.conf and change password via LDAP
Modify Extended Operation (RFC 3062).

2. Generate hashed userPassword value at the client side.

3. Use overlay slapo-ppolicy and set ppolicy_hash_cleartext (but read warnings
in man page before).

Ciao, Michael.