構造的に表示 平面上に表示 ツリー上に表示
スレッド [ 前へ | 次へ ]
toggle
Eugene Massier
Exporting plaintext password to LDAP?
2011/07/22 14:40
答え

Eugene Massier

ランク: New Member

投稿: 16

参加年月日: 2011/07/18

最近の投稿

Hello all,

I've enabled the property passwords.encryption.algorithm=SSHA, but Liferay still exports the unecnrypted version of the password to LDAP. After debugging the source code a bit, it appears that Liferay only supports plaintext export of passwords to LDAP. Is this the case? Please take a look at the code snippet below:

 1    public Modifications getLDAPUserModifications(
 2            User user, Map<String, Serializable> userExpandoAttributes,
 3            Properties userMappings, Properties userExpandoMappings)
 4        throws Exception {
 5
 6        Modifications modifications = getModifications(
 7            user, userMappings, _reservedUserFieldNames);
 8
 9        if (user.isPasswordModified() &&
10            Validator.isNotNull(user.getPasswordUnencrypted())) {
11
12            addModificationItem(
13                userMappings.getProperty(UserConverterKeys.PASSWORD),
14                user.getPasswordUnencrypted(), modifications);
15        }


The part where is says getPasswordUnencrypted() does not take into consideration whether LDAP actually wants it that way or not. I added the following change to the source code:
1            addModificationItem(
2                userMappings.getProperty(UserConverterKeys.PASSWORD),
3                "{SSHA}" + user.getPassword(), modifications);


And now the password does get set properly in LDAP, however, this is very hackish... what is the trick here to having the password sent in the appropriate encryption to my LDAP server?
Eugene Massier
RE: Exporting plaintext password to LDAP?
2011/07/22 14:42
答え

Eugene Massier

ランク: New Member

投稿: 16

参加年月日: 2011/07/18

最近の投稿

basically, what I am trying to figure out is if there is any "out of the box" support for sending passwords to LDAP with encryption, so that LDAP stores the passwords in an encrypted way. Or perhaps it is the LDAP server's responsibility to receive the clear text password over a secure connection and to encrypt it locally before storing?
Eugene Massier
RE: Exporting plaintext password to LDAP?
2011/07/25 15:09
答え

Eugene Massier

ランク: New Member

投稿: 16

参加年月日: 2011/07/18

最近の投稿

I decided to update the code in BasePortalToLDAPConverter.java to take into account what encryption approach is being used for Liferay.

Original code:

1        if (user.isPasswordModified() &&
2            Validator.isNotNull(user.getPasswordUnencrypted())) {
3
4            addModificationItem(
5                userMappings.getProperty(UserConverterKeys.PASSWORD),
6                user.getPasswordUnencrypted(), modifications);
7        }


Updated code:


 1        if(PwdEncryptor.PASSWORDS_ENCRYPTION_ALGORITHM.equals(PwdEncryptor.TYPE_NONE)) {
 2            String passwordUnencrypted = user.getPasswordUnencrypted();
 3            if (user.isPasswordModified() &&
 4                Validator.isNotNull(passwordUnencrypted)) {
 5   
 6                addModificationItem(
 7                    userMappings.getProperty(UserConverterKeys.PASSWORD),
 8                    passwordUnencrypted, modifications);
 9            }
10        } else {
11            String encryptedPassword = "{" + PwdEncryptor.PASSWORDS_ENCRYPTION_ALGORITHM + "}" + user.getPassword();
12            if (user.isPasswordModified() &&
13                    Validator.isNotNull(encryptedPassword)) {
14       
15                    addModificationItem(
16                        userMappings.getProperty(UserConverterKeys.PASSWORD),
17                        encryptedPassword, modifications);
18                }   
19        }


As you case see, the main change that I have made is to wrap the original code in the initial "if" clause. I have added supplemental code to the "else" clase, to handle the case where some type of encryption is being used. The result of this, is that when Liferay is using some type of encryption scheme, the password sent to the LDAP server will be of the form {ENCRYPTION_SCHEME}encryptedPassword however, when no entryption is being used, a plaintext password will be sent to the LDAP server as is currently the default implementation in all cases.

I have attached a class file compatible with Liferay Portal version liferay-portal-tomcat-6.0.6-20110225

Simply overwrite your existing class file with this new one to gain specified functionality. Until a better solution becomes available, I'll be sticking with this approach.

You can download the new class file here: BasePortalToLDAPConverter.class
Mika Koivisto
RE: Exporting plaintext password to LDAP?
2011/07/27 16:01
答え

Mika Koivisto

LIFERAY STAFF

ランク: Liferay Legend

投稿: 1513

参加年月日: 2006/08/07

最近の投稿

You should know that this only works with Apache DS. AD on the other hand requires UTF-16 encoded version of the plain text password and many other ldaps require the plain text password as they will do the hashing internally and not externally like Apache DS.
Eugene Massier
RE: Exporting plaintext password to LDAP?
2011/07/27 16:16
答え

Eugene Massier

ランク: New Member

投稿: 16

参加年月日: 2011/07/18

最近の投稿

Thanks for the feedback, I really appreciate it. It would seem that the directory server should hash the password internally as you say, and I think this can be configured with a password storage option, that is not supported in the current version of Apache DS, hence this patch. I found that the jar file containing the class file to replace is webapps/ROOT/WEB-INF/lib/portal-impl.jar
Mika Koivisto
RE: Exporting plaintext password to LDAP?
2011/07/27 16:29
答え

Mika Koivisto

LIFERAY STAFF

ランク: Liferay Legend

投稿: 1513

参加年月日: 2006/08/07

最近の投稿

If you'd like to contribute the solution we have a ticket for this LPS-19155. This needs to be made configurable through portal.properties. Also the hashing needs to be done on the fly for the plain text password as Liferay stores the hashed password differently (base64 encoded instead of hex encoded) than Apache DS expects it. You can send a pull request to me directly to https://github.com/mikakoivisto/liferay-portal or provide a patch agains trunk on the ticket. You just need to click contribute solution on the ticket after doing so.
Eugene Massier
RE: Exporting plaintext password to LDAP?
2011/07/27 16:33
答え

Eugene Massier

ランク: New Member

投稿: 16

参加年月日: 2011/07/18

最近の投稿

Ok, I will take a look at it. For now I have tested it and I can change my password and re-login with no issues.
Eugene Massier
RE: Exporting plaintext password to LDAP?
2011/07/27 16:34
答え

Eugene Massier

ランク: New Member

投稿: 16

参加年月日: 2011/07/18

最近の投稿

btw, I am using SSHA encoding in both Liferay and Apache DS
Dimitri Tischenko
RE: Exporting plaintext password to LDAP?
2012/05/08 7:43
答え

Dimitri Tischenko

ランク: New Member

投稿: 22

参加年月日: 2011/11/10

最近の投稿

Mika Koivisto:
You should know that this only works with Apache DS. AD on the other hand requires UTF-16 encoded version of the plain text password and many other ldaps require the plain text password as they will do the hashing internally and not externally like Apache DS.


Hi Mika,

I have looked at the status of the related issues in Jira and it seems this has not been implemented yet, for neither Apache DS or a different LDAP server. Could you clarify whether it is, in fact, possible to store passwords in OpenLDAP in an encrypted form?

TIA