4

I am having problems working out how to save a password in an Apache DS LDAP in an SSHA hash instead of plain text. As far as I can tell, the correct way to go about it should be configuring Apache DS to use SSHA to store passwords and then when setting the password send only the plain Text. However, I can't work out how to configure Apache DS to do this.

I have pushed the Hashed password into the LDAP (Using an Admin interface to the LDAP) and Apache DS correctly authenticates against the correct password. However I need to insert the password from our Java application. This can't be an unusual request so I must be missing something.

Here is my code for setting the password from java using the LdapTemplate interface from org.springframework.ldap.core

public void storeNewPassword(final String userId, final String password) {

    final DistinguishedName dn = new DistinguishedName("dc=users,dc=pms,dc=com");
    dn.add("uid", userId);

    Attribute pass = new BasicAttribute("userpassword", password);

    final ModificationItem mi = new ModificationItem(
        DirContext.REPLACE_ATTRIBUTE,
        pass);
    ldapTemplate.modifyAttributes(dn, new ModificationItem[] {mi});

}

The Above code correctly sets the password, but when I look at the Apache DS Server I see that the password has been saved in plain text:

Please can someone verify whether this is the correct approach for setting passwords, and suggest how I can configure Apache DS to apply SSHA to passwords it receives.

Thanks

Ken
  • 654
  • 8
  • 18
  • 1) Have you consulted the Apache DS administration documentation to learn how to configure the server to use a cryptographic digest for MODIFY and ADD requests for the user/branch/backend in question? 2) Consider using the password modify extended request (RFC3062) to change passwords where possible. – Terry Gardner Nov 26 '13 at 15:22
  • @TerryGardner Can you elaborate on your suggestions a bit. So far they have not helped me much. Are you able to provide a link to the part of the Apache DS documentation you are referring to? – Ken Nov 26 '13 at 16:17
  • It appears that Red Hat Directory Server will work exactly as I hope it would. It is also well documented and has an open source equivalent 389 Directory Server. So far my opinion of Apache DS is low. – Ken Nov 27 '13 at 11:25
  • Had a similar problem today too. If on Windows, open the LDAP-Browser and navigate to ou=config,ou=interceptors. Select the ads-interceptorId=passwordHashingInterceptor and change the value of ads-interceptorclassname to the one of your choice. Restart the service and it should be ok. – pma Oct 27 '15 at 16:00

1 Answers1

3

You as the client are responsible to hash and encode the password. The server just stores it like any other attribute.

If you want to hash the password using MD5, you can use code like this:

import org.apache.commons.codec.binary.Base64;
import org.apache.commons.codec.digest.DigestUtils;

public class PasswordUtil {
  public String hashAndEncodePassword(String password) {
    final byte[] md5 = DigestUtils.md5(password.trim().getBytes("UTF-8"));
    final byte[] base64 = Base64.encodeBase64(md5);
    final String hashedAndEncoded = new String(base64, "ASCII");
    return "{MD5}" + hashedAndEncoded;
  }
}

If you want to use a different hash algorithm, you must change the use of DigestUtils.md5 to the proper method.

If you want to use a salted algorighm like {SSHA}, you must adapt the code, too.