为LDAP用户设置已经哈希的密码（使用Java）

Question

I try to migrate a legacy application (which does its own user management) to LDAP. The legacy application stores its users in a database table with hashed passwords. I know the hashing algorithm (SSHA-256) as well as the salt (the username) and I'm able to recreate the hashes with a couple of lines of code (when I know the password, eg for one of the test users).

This is how the hashes have been created:

public static String hash(String password, String salt) throws Exception {

    MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
    String text = password + "{" + salt + "}";
    messageDigest.update(text.getBytes("UTF-8"));
    byte[] digest = messageDigest.digest();
    StringBuilder stringBuilder = new StringBuilder(digest.length * 2);
    for(byte b: digest)
        stringBuilder.append(String.format("%02x", b & 0xff));
    return stringBuilder.toString();
}

The result of this method is stored in the legacy database. I want to use this password hash for the users in the LDAP, too (otherwise, every user would have to create a new password after the migration). I tried the following to set the password in LDAP:

Attribute attribute = new BasicAttribute("userpassword", someHashFromTheMethodAbove);
ModificationItem[] modifications = new ModificationItem[1];
modifications[0] = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, attribute);
context.modifyAttributes("uid=testuser,ou=User,dc=users,dc=de", modifications);

The actual setting of the password works, I can see that the password of the has been changed. However, I am unable to authenticate with the new password.

Answer 1

In most of the LDAP servers, the SSHA hashing scheme is based on SHA1 and not SHA-256. You might want to try with a {SSHA256} prefix.