针对散列密码在Apache上进行LDAP身份验证

Question

I have a setup with an apache HTTP server front facing tomcat server. The Apache server uses LDAP for authentication.

I am using an Embedded LDAP server (Apache DS) and have configured to disable anonymous bind using

service.setAllowAnonymousAccess(false); // Disable Anonymous Access

service.setAccessControlEnabled(true); // Enable basic access control check (allow only  System Admin to login to LDAP Server)

My application uses Spring LDAP to connect and perform user operations like Adding a user. I have configured it in spring.xml as follows:

  <bean id="ldapContextSource" class="org.springframework.ldap.core.support.LdapContextSource">
           <property name="url" value="ldap://localhost:389" />
           <property name="base" value="dc=test,dc=com" />
           <property name="userDn" value="uid=admin,ou=system" />
           <property name="password" value="secret" />
      </bean>

Apache httpd.conf is configured to use basic auth

AuthLDAPBindDN "uid=admin,ou=system"
AuthLDAPBindPassword "{SHA}<Hash for secret>"

ISSUE 1 : When trying to login to ldap server using a client (say jexplorer), I am able to login using both Hashed password and using the plain text "secret". How is that possible?

In this case , if someone gets to know the AuthLDAPBindDN and AuthLDAPBindPassword which is a hashed one in my case, They will be able to login using the same to the LDAP server with full access which is a security threat.

Also, I want to replace the password in spring.xml with a hashed one. Since, admin can change the LDAP password, How do I ensure my application to use the updated hashed password as we are hard-coding it in spring.xml?

Answer 1

With regards to your second question: you should typically never hardcode stuff like server URLs, user names, passwords, etc in your XML file. These things should typically be externalized to a property file and processed using <context:property-placeholder> . Say, for instance, that you have a property file with the following contents:

ldap.server.url=ldap://localhost:389
ldap.base=dc=test,dc=com
ldap.userDn=uid=admin,ou=system
ldap.password=secret

You can then refer to these properties in your configuration file, eg:

 <context:property-placeholder ignore-resource-not-found="true"
                               location="classpath:/ldap.properties,
                                         file:/etc/mysystem/ldap.properties" />

 <bean id="ldapContextSource" class="org.springframework.ldap.core.support.LdapContextSource">
       <property name="url" value="${ldap.server.url}" />
       <property name="base" value="${ldap.base}" />
       <property name="userDn" value="${ldap.userDn}" />
       <property name="password" value="${ldap.password}" />
  </bean>

Spring will automatically replace the stuff within ${} with the corresponding values from your properties file.

Note that I specified two property file locations in the <context:property-placeholder> element, and that I also included ignore-resource-not-found="true" . This is useful, because it enables you to include a properties file with your source for simple development setup, but in production, if you place a properties file under /etc/mysystem/ldap.properties , this will override the stuff in the bundled properties file.

This way, if the password is changed by admin in production environment, all you need to do is change the properties file; you don't need to rebuild the application.

With regards to why the apache DS accepts the hashed password; one reason might be that your LDAP server is set up to accept anonymous access for read operation, which means that it actually doesn't authenticate at all when you're just reading. Might be something else though, you'll have to direct the question to Apache DS support.