stackoom
  简体   繁体   中英

Send Encryption Password To LDAP in Java

 原文  2018-10-19 09:16:25       java/ encryption/ ldap

Question

I have a problem and I have no idea how to solve it.

I load an encrypted password (SSHA) from a text file and I need add a user with this password from the source code in Java.

Example from file: e1NTSEF9Ukd6ZEZyanZBZlJGMGs3eGFDOGZxQ3U3QlozcUZXRGJoeWIyS0E9PQ==

Real password: 123

Example code not work as I want: 

String encryptedPSWD = "e1NTSEF9Ukd6ZEZyanZBZlJGMGs3eGFDOGZxQ3U3QlozcUZXRGJoeWIyS0E9PQ==";
attributes.add(new BasicAttribute("userPassword","{SSHA}"+encryptedPSWD);

It not work, because we can send only real value password? And is the problem that this is one-sided encryption and LDAP will also not be able to decrypt it?

1 answers

solution1
 0 ACCPTED  2018-10-20 13:27:30

The error number and text from the LDAP server would be instructive; but, in a general case, there are two things that stand out:

(1) Assuming the user already has a password, you are modifying an existing attribute, not adding an attribute. If you attempt to add a value to a single valued attribute that's already got a value, or if you attempt to add a value to a multi-value attribute that is already present, you would get ldap error 20. To modify an existing attribute would look something like this: 

LDAPModificationSet attributes = new LDAPModificationSet();
LDAPAttribute attrUserPassword = new LDAPAttribute("userPassword", "{SSHA}"+encryptedPSWD);
attributes.add(LDAPModification.REPLACE, attrUserPassword);

(2) Some directories do not allow using "pre-encoded" passwords as a default. This is because password policies cannot be applied to an unknown password (ie how do I know this password is at least eight characters, contains a special character, and does not contain a dictionary word?). The Oracle Unified Directory servers that I manage return error 53 in this case, along with text saying "Pre-encoded passwords are not allowed for the password attribute userPassword.", but other directory servers may return use a different code (53 is a pretty generic code that just means something in the server config prevented the action from being completed). How to sort it depends on the LDAP server -- mine have a allow-pre-encoded-passwords Boolean within the password policy. I generally set it to "true", bulk import users, then return the setting to 'false' to prevent app developers from circumventing our password policies.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Change password LDAP Java Java LDAP password authentication Java password encryption Password encryption in Java Password encryption/decryption in Java Java spring LDAP - Waring LDAP password expire LDAP password hash matching in Java verify LDAP user password in Java Update password in ldap using java Password encryption using php and java
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM