1

I have a ldap database. I'm using inetorgPerson object class. In this class there is userPassword attribute. userPassword values are SHA crypt. I am using javax.naming.directory package to get userPassword value. However returning value is not same with SHA password value. How can I get correct value ? A simple codes are :

public ArrayList<String> search(String base, String filter,String[] returningAttributes){
        ArrayList<String> result=new ArrayList<String>();
            SearchControls ctls = new SearchControls();
            ctls.setSearchScope(SearchControls.SUBTREE_SCOPE);
            ctls.setReturningAttributes(returningAttributes);

        NamingEnumeration resultEnum = null;
        try {
            resultEnum = ctx.search(base, filter, ctls);
              while (resultEnum.hasMore()) {
                SearchResult res = (SearchResult) resultEnum.next();

                // print DN of entry
               // System.out.println(res.getNameInNamespace());

                // print attributes returned by search
                Attributes attrs = res.getAttributes();
                NamingEnumeration e = attrs.getAll();
                while (e.hasMore()) {
                    Attribute attr = (Attribute) e.next();
                    result.add(attr.toString());
                }
                System.out.println();

            }
            return result;
        } catch (NamingException e) {

        }
        return null;
    }
olyanren
  • 1,448
  • 4
  • 24
  • 42
  • I don't understand what you're trying to do. Do you want to get the original password from the stored value, which is the original password hashed with SHA? – JB Nizet Aug 06 '11 at 15:41
  • no, there is nobody can access original password from SHA password value. Lets say, I entered a password into text box in jsf 2, then created SHA password from entered password. After this operation I want to compare sha password in ldap with my jsf 2 password. But I cannot get correct SHA values from LDAP. Returning value is [B0X.. etc but expected value is : {SHA}fEqNCco3Yq9h5ZUglD3CZJT4lBs= – olyanren Aug 06 '11 at 15:47
  • 1
    Code must loop through the `attribute options` before looping through the attribute values. – Terry Gardner Aug 08 '11 at 10:40

2 Answers2

3

I want to compare sha password in ldap with my jsf 2 password

No, you don't want to do that. You want to perform an LDAPContext.reconnect() with the new credentials and let LDAP do the comparison.

user207421
  • 305,947
  • 44
  • 307
  • 483
  • And what should be done in case I need to cache LDAP entries to separate store? For example like JIRA does it for user management? – Peter Siska Oct 28 '11 at 22:10
  • @PeterSiska I don't know anything about Jira but it should use LDAP the same way everybody else does. There are serious legal consequences of being able to decrypt passwords: you lose non-repudiability of transactions. Regarding your question there is no such thing as a 'JSF password' in the first place. – user207421 Oct 29 '11 at 00:51
0

I'm not sure I understand your question, but if the password hash isn't what you would expect this could be the reason:

The server stores salted password hashes, which will be different from sha1(password).

Anders Lindahl
  • 41,582
  • 9
  • 89
  • 93
  • `[B@e06940` is what you get by System.out.println() a `byte[]` array....... `byte[]` don't have `toString()` – J-16 SDiZ Aug 06 '11 at 16:18
  • I solved the problem. Only added Attribute attr = (Attribute) e.next(); Object value=attr.get(0); System.out.println(new String((byte[])value)); – olyanren Aug 06 '11 at 16:22