Unable to authenticate Java - LDAP

Question

My ldiff file looks like this

dn:uid=test,ou=users,dc=example,dc=com
objectclass:person
objectclass:inetOrgPerson
objectclass:organizationalPerson
objectclass:top
givenName: test
title:test
uid:test
cn:test
sn:sdf
userPassword: 81dc9bdb52d04dc20036dbd8313ed055
mail: [email protected]
creatorsName: cn=Directory Manager,cn=Root DNs,cn=config
modifiersName: cn=Directory Manager,cn=Root DNs,cn=config

The userPassword is hashed in portal db using MD5 with hex encoding. Also enabled pre-encoded-password to true but doesnt help.

The plain text password for the above userPassword is "1234" and I have a sample java program to authenticate the same

public static void main(String[] args) throws NamingException {

        final String ldapAdServer = "ldap://0.0.0.0:389";


        final String ldapUsername = "uid=test,ou=People,dc=example,dc=com";
        final String ldapPassword = "81dc9bdb52d04dc20036dbd8313ed055;


        Hashtable<String, Object> env = new Hashtable<String, Object>();
        env.put(Context.SECURITY_AUTHENTICATION, "simple");
        if (ldapUsername != null) {
            env.put(Context.SECURITY_PRINCIPAL, ldapUsername);
        }
        if (ldapPassword != null) {
            env.put(Context.SECURITY_CREDENTIALS, ldapPassword);
        }
        env.put(Context.INITIAL_CONTEXT_FACTORY,
                "com.sun.jndi.ldap.LdapCtxFactory");
        env.put(Context.PROVIDER_URL, ldapAdServer);

        env.put("java.naming.ldap.attributes.binary", "objectSID");
        DirContext ctx = new InitialDirContext(env);

    }

Replacing the userPassword in the java program always gives "Invalid Authentication Exception"

Attached is the setting of OpenDJ OPENDJ Passpword policy

My requirement is we have an portal whose passwords is stored in db in MD5 with hex encoding the portal is integrated to the ldap for every password change the ldap is updated with hashed value , but the above java program doesnt work at all . Need serious help .

Thanks.

Answer 1

You need to store the password hash in binary format. You can do this in a LDIF file by using "::" instead of ":" to separate the attribute name from the value:

dn:uid=test,ou=users,dc=example,dc=com
objectclass:person
objectclass:inetOrgPerson
objectclass:organizationalPerson
objectclass:top
givenName: test
title:test
uid:test
cn:test
sn:sdf
userPassword:: 81dc9bdb52d04dc20036dbd8313ed055
mail: [email protected]
creatorsName: cn=Directory Manager,cn=Root DNs,cn=config
modifiersName: cn=Directory Manager,cn=Root DNs,cn=config

Answer 2

In OpenDJ, when you add or import a password, the server will only keep a hashed version of it, and for that, it uses the password storage scheme configured in the password policy for users (or the import policy).

However, it always computes the hash unless it detects that the password is already hashed with a known scheme. Schemes are identified by a prefix such as {SSHA1} or {MD5}.

Since the password for your user is already hashed with MD5 and OpenDJ has a scheme that hashes with MD5, you should make sure that the user password has the same representation as what OpenDJ produces or expect.

The format is:

userPassword: {MD5}Base64EncodingOftheMD5Hash

Once you have all user passwords with this format in LDIF, you can add or import them in OpenDJ, but make sure you set the password Policy to accept pre-encoded passwords (allow-pre-encoded-passwords) because it's not the default.

You can generate sample encoded values using OpenDJ encode-password tool:

$ encode-password -s MD5 -c password
Encoded Password:  "{MD5}X03MO1qnZdYdgyfeuILPmQ=="