> On Nov 10, 2023, at 10:24 AM, Veniamin Gvozdikov
> <[email protected]> wrote:
>
> Hello.
>
> I would like to use hashed user passwords but I didn't get the property
> with encryption of passwords for userPassword. If you open DIT with Apache
> Directory Studio any user from ou=People account's property with the
> password you will be able to set a new password with any of the listed
> hashing algorithms.
>
Veniamin,
The hash operations related to processing users and their passwords is handled
on the server.
For example, password policies in OpenLDAP[1] we’d enable it in the Openldap
config:
```
overlay ppolicy
policy_hash_cleartext
```
This reduces complexity on the client side. Now, when the client requests
password being added, changed or checked(bind), it sends pw in clear text. The
server will change/interpret as needed.
Man (openldap) slapo-policy
…
ppolicy_hash_cleartext
Specify that cleartext passwords present in Add and Modify requests should be
hashed before being stored in the database. This violates the X.500/LDAP
information model, but may be needed to compensate for LDAP clients that
don't use the Password Modify extended operation to manage passwords. It is
recommended that when this option is used that compare, search, and read access
be denied to all directory users.
> I reviewed src/main/java/org/apache/directory/fortress/core/model/User.java
> with these lines but no mentions about hashing.
>
Correct. That’s how it works currently.
> 822 /**
>
> 823 * Get the optional password attribute associated for a User.
> Note, this value is required before User will pass Fortress
> 824 * authentication in {@link
> org.apache.directory.fortress.core.impl.AccessMgrImpl#createSession(User,
> boolean)}.
> 825 * Even though password is char[] format here it will be stored on
> the ldap server (using server-side controls) in configurable and
> standard hashed formats.
> 826 *
>
> 827 * @return value maps to 'userPassword' attribute in
> 'inetOrgPerson' object class.
> 828 */
>
> 829 public String getPassword()
>
> 830 {
>
> 831 return password;
>
> 832 }
>
>
> --
> Regards,
> Veniamin
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
