3

I need some pointers how to update an encrypted password in an LDAP (OpenLDAP) of a user within an LDAP tree. The passwords in the LDAP server are prefixed with {crypt} which I suppose indicates that it is encrypted (with DES?)

I need to write a method which updates a user's passwords. What is the right way to do this? Do I need to prefix the string with {crypt} myself? How do I encrypt the password for {crypt}?

UPDATE:

Just to clarify what I need is the Java code to encrypt the attribute so that it works with {crypt}. I also don't know if I have to prefix the attribute with the string {crypt} myself.

Cœur
  • 37,241
  • 25
  • 195
  • 267
jbx
  • 21,365
  • 18
  • 90
  • 144
  • Got the same problem with {SSHA}, [this](https://stackoverflow.com/a/42490862/5428477), fixed it for me with salted SHA. If one changes the message digest algo an possibly drop the salt, I guess it will work for {CRYPT} as well. – Thomas P Jun 07 '23 at 09:04

2 Answers2

1

No, you just need to update the attribute, just like any other attribute, but remembering that unlike most attributes it is a byte[] not a String.

There is also an ExtendedOperation for password modification in association with the Password Policy IETF draft, but you haven't mentioned you're using that.

user207421
  • 305,947
  • 44
  • 307
  • 483
  • If I update the attribute it is stored clear text not encrypted. How do I get it to be encrypted? – jbx Jul 05 '11 at 10:19
  • It should be stored the same way it is currently stored at the server. You might have to add ;binary to the attribute name. I'm away from my source code right now but I'll have another look at this tomorrow. – user207421 Jul 05 '11 at 10:35
  • I don't think you understood the question. I am asking how to encrypt the string before saving the attribute. – jbx Jul 05 '11 at 13:09
  • @jbx I understood all right, I have code that does this, and it doesn't encrypt anything. Nor does it prefix {crypt} itself. My understanding is that the JNDI layer takes care of that for you. All it does is attrs.put("userPassword", newPassword1.getBytes()); My understanding is also that if the attribute is appropriately defined either the JNDI layer or the server itself does the encrypting. Mine certainly does. – user207421 Jul 06 '11 at 00:22
  • Thanks for your reply. I'm still not really convinced its so. One can even have different encryptions (MD5, SHA1 etc.) apart from CRYPT, so I doubt that OpenLDAP does it automatically. If the encryption is not done client side, you would also risk passing the password unencrypted over the network. I also found this which seems to point towards this hypothesis http://stackoverflow.com/questions/2639167/how-to-specify-hash-algorithm-when-updating-ldap-via-java. So I just need to know how to generate a CRYPT password. – jbx Jul 09 '11 at 16:52
  • @jbx It is certain that between JNDI and OpenLDAP *someone* is doing it automatically, because someone is encrypting passwords and it certainly isn't anything in my code. – user207421 Jul 10 '11 at 09:38
  • I am speaking of the userPassword attribute. – user207421 Jul 10 '11 at 23:03
  • @jbx and my next question is why are you using {crypt} at all? See openldap.org/faq/data/cache/348.html. Not recommended. I can assure you that {MD5} passwords don't get transmitted in clear. I just sniffed it. And I have *no code* for hashing them. – user207421 Jul 13 '11 at 08:48
  • @EJP well I am just using {crypt} because 60,000 entries in the LDAP server are using {crypt} and I just want to avoid introducing other unknowns. – jbx Jul 13 '11 at 21:21
  • @jbx good reason! Point remains though, JNDI clearly does it in the case of {SHA1}. I suggest you sniff the traffic. – user207421 Jul 15 '11 at 00:20
0

In some cases, using a pre-encoded password might prevent the directory server from enforcing password quality checks.

Terry Gardner
  • 10,957
  • 2
  • 28
  • 38