Java LDAP - unable to authenticate users

Question

I facing a issue need to resolve this as soon as possible need your help.

I have a very simple java program just for sample authentication of ldap user

Issue -1 -:

public static void main(String[] args) throws NamingException {

        final String ldapAdServer = "ldap://0.0.0.0:389";


        final String ldapUsername = "uid=test,ou=People,dc=example,dc=com";
        final String ldapPassword = "gdyb21LQTcIANtvYMT7QVQ==";


        Hashtable<String, Object> env = new Hashtable<String, Object>();
        env.put(Context.SECURITY_AUTHENTICATION, "simple");
        if (ldapUsername != null) {
            env.put(Context.SECURITY_PRINCIPAL, ldapUsername);
        }
        if (ldapPassword != null) {
            env.put(Context.SECURITY_CREDENTIALS, ldapPassword);
        }
        env.put(Context.INITIAL_CONTEXT_FACTORY,
                "com.sun.jndi.ldap.LdapCtxFactory");
        env.put(Context.PROVIDER_URL, ldapAdServer);

        env.put("java.naming.ldap.attributes.binary", "objectSID");
        DirContext ctx = new InitialDirContext(env);

    }

running the above program gives "[LDAP: error code 49 - Invalid Credentials]" error also I have taken the export of ldap users and userPassword is same as entered in the program

dn: uid=test,ou=People,dc=example,dc=com objectClass: person objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: top uid: test mail: test@yopmail.com userPassword: {MD5}gdyb21LQTcIANtvYMT7QVQ==

The same password I have entered above and the java code is throwing error additionally I have used dsconfig and configured "default-password-storage-scheme" to use MD5 and same works well when I just gives the plain password but I need to pass MD5 hex password to ldap to get authenticated .

Issue- 2-: we are using liferay as backend system and all users details must be stored in ldap if user is changing password liferay is generating password using MD5 and hex encoding something like this "098f6bcd4621d373cade4e832627b4f6 " but when the same when exported using export ldiff option we are something like this in ldap "{MD5}gdyb21LQTcIANtvYMT7QVQ==" there is a mismatch between the password genearted by liferay and ldap I want the liferay md5 password to go in ldap. Again entering the same password obtained form ldiff file and putting the same in the java program doesnt seem to work and plain clear text password works.

Need serious help on this .

Please feel free if any additional information is required on the same.

Answer 1

There is nothing wrong with your code. The problem is that OpenDJ is expecting the clear text password instead of the hashed value (which is what you're using).

When OpenDJ receives a bind request (a bind request is how users authenticate against an LDAP server) it will grab the password from the request, compute the hash value, and compare it against the value stored in the userPassword attribute ( gdyb21LQTcIANtvYMT7QVQ== in your case). Notice that OpenDJ prepends the hash algorithm that was used originally (MD5, SHA1, etc...).

So using clear text passwords should fix Issue 1 .

The above explanation should also bring some light as to what's causing Issue 2 . Liferay is passing the password hash when modifying the userPassword attribute in OpenDJ. However OpenDJ believes it's receiving the clear text value so it hashes the password again. Thus you end up with a "double hashed" password in your LDAP server.

You have two options to fix Issue 2:

• Disable hashing in Liferay and let OpenDJ do the hashing.
• Allow pre-encoded passwords in LDAP and configure Liferay to pass the password value in binary format. To allow pre-encoded passwords you just need to set the allow-pre-encoded-passwords advanced password policy property to true . I am afraid I cannot help you with the Liferay configuration.