使用Java将加密密码发送到LDAP
[英]Send Encryption Password To LDAP in Java
问题描述
I have a problem and I have no idea how to solve it. 
我有一个问题,我不知道如何解决。
I load an encrypted password (SSHA) from a text file and I need add a user with this password from the source code in Java. 我从文本文件加载了加密密码(SSHA),并且需要从Java源代码中使用该密码添加用户。
Example from file: e1NTSEF9Ukd6ZEZyanZBZlJGMGs3eGFDOGZxQ3U3QlozcUZXRGJoeWIyS0E9PQ== 来自文件的示例:e1NTSEF9Ukd6ZEZyanZBZlJGMGs3eGFDOGZxQ3U3QlozcUZXRGJoeWIyS0E9PQ ==
Real password: 123 真实密码:123
Example code not work as I want: 示例代码不符合我的要求:
String encryptedPSWD = "e1NTSEF9Ukd6ZEZyanZBZlJGMGs3eGFDOGZxQ3U3QlozcUZXRGJoeWIyS0E9PQ==";
attributes.add(new BasicAttribute("userPassword","{SSHA}"+encryptedPSWD);
It not work, because we can send only real value password? 这行不通,因为我们只能发送实值密码吗? And is the problem that this is one-sided encryption and LDAP will also not be able to decrypt it? 难道这是一种单面加密,LDAP也将无法解密吗?
1 个解决方案
解决方案1
0 已采纳 2018-10-20 13:27:30
The error number and text from the LDAP server would be instructive; 来自LDAP服务器的错误号和文本将具有指导意义; but, in a general case, there are two things that stand out: 但是,在一般情况下,有两点很突出:
(1) Assuming the user already has a password, you are modifying an existing attribute, not adding an attribute. (1)假设用户已经有密码,则您正在修改现有属性,而不是添加属性。 If you attempt to add a value to a single valued attribute that's already got a value, or if you attempt to add a value to a multi-value attribute that is already present, you would get ldap error 20. To modify an existing attribute would look something like this: 如果您尝试将值添加到已经有一个值的单值属性,或者尝试将值添加到已经存在的多值属性,则会出现ldap错误20。要修改现有属性看起来像这样:
LDAPModificationSet attributes = new LDAPModificationSet();
LDAPAttribute attrUserPassword = new LDAPAttribute("userPassword", "{SSHA}"+encryptedPSWD);
attributes.add(LDAPModification.REPLACE, attrUserPassword);
(2) Some directories do not allow using "pre-encoded" passwords as a default. (2)某些目录不允许默认使用“预编码”密码。 This is because password policies cannot be applied to an unknown password (ie how do I know this password is at least eight characters, contains a special character, and does not contain a dictionary word?). 这是因为密码策略无法应用于未知密码(即,我如何知道此密码至少为八个字符,包含特殊字符并且不包含词典词?)。 The Oracle Unified Directory servers that I manage return error 53 in this case, along with text saying "Pre-encoded passwords are not allowed for the password attribute userPassword.", but other directory servers may return use a different code (53 is a pretty generic code that just means something in the server config prevented the action from being completed). 在这种情况下,我管理的Oracle Unified Directory服务器返回错误53,并显示“密码属性userPassword不允许使用预编码的密码。”的文字,但是其他目录服务器可能会返回不同的代码(53通用代码,仅表示服务器配置中的某些内容导致操作无法完成)。 How to sort it depends on the LDAP server -- mine have a allow-pre-encoded-passwords Boolean within the password policy. 排序方式取决于LDAP服务器-我的密码策略中具有allow-pre-encoded-passwords布尔值。 I generally set it to "true", bulk import users, then return the setting to 'false' to prevent app developers from circumventing our password policies. 我通常将其设置为“ true”,批量导入用户,然后将设置返回为“ false”,以防止应用程序开发人员绕过我们的密码策略。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.