[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Storing of passwords

At 05:45 AM 5/18/01, Jakob Breivik Grimstveit wrote:
>I'm using some Javacode for generation LDAP passwords.

If you are storing RFC 2256 userPassword values, a portable
client should just provide the password in cleartext or, if
the server supports it, use the modify password extended
operation (RFC 3060] to change the password.

If you really must implement RFC 2307 (experimental) passwords
in your client, I suggest you look at the FAQ and documents
it links for examples.

This Netscape technote is also quite useful (and is noted in our

In looking at your code, it seems you have not base64 encoded
the SHA-1 hash.


>Is this code
>sufficient? Or is there anything else I've got to do?
>There seems to be some differences in the way the passwords are stored,
>using an LDAPbrowser compared with my java code.
>private String encryptPassword(String toEncrypt) {
>    byte[] hash=toEncrypt.getBytes();
>    try {
>        MessageDigest sha = MessageDigest.getInstance ("SHA");
>        sha.update(toEncrypt.getBytes());
>        toEncrypt=new String(sha.digest());
>    } catch (NoSuchAlgorithmException nsae) {
>        System.out.println("LDAPInterface | NoSuchAlgorithmException: "
>+ nsae);
>    }
>    return toEncrypt;
>It returns something like 'CÀsOE}§Ïd.ËvíÇsQs"?'
>Is this correct? Do I have to prepend something? Is the encryption
>algorithm correct (using SHA-1)?
>Looking forward to some helpful replies!
>- Vyrdsamt...
>- Jakob Breivik Grimstveit, jakob@grimstveit.net, www.grimstveit.net
>- Morvikbotn 341, 5121 Ulset, tlf: 55195667, mob: 98833857
>- Applikasjonsutvikler, Reaktor AS, jakob.grimstveit@reaktor.no,
>"I love deadlines. I love the whooshing noise they make as they go by."
>-Douglas Adams