Re: [xwiki-users] XWiki authentication configuration for encrypted userPassword sotred in LDAP (SHA algorithm)
On Mon, Mar 9, 2009 at 11:47, Christophe GRAVIER christophe.grav...@telecom-st-etienne.fr wrote: Dear XWiki users, I have been looking for authenticating my xwiki users against a LDAP directory (OpenLdap, debian box), where the userPassword field is encrypted using the SHA algorithm. Unfortunately, I am not able to configure xwiki to encrypt the password entered by the user before the authentication and authorization process. I receive the following snip, after enabling ldap logging in a custom log4j.properties file as indicated in the doc: com.xpn.xwiki.XWikiException: Error number 8001 in 8: LDAP authentication failed: could not validate the password: wrong password for uid=gravier.christophe,ou=xxx,o=,c=fr The configuration is nevertheless good in overall, because I can log in if I store my password as plain text binary in my LDAP server (but I don't want it to be plain text in the LDAP server of course...). I have been searching the documentation, FAQ and user/dev mailing lists, and I only found encryption related to cookie storage, or SHA encryption for xwiki-webdav module (http://xwiki.markmail.org/message/k2r2qqu2twjputml?q=ldap+SHA ) developpers' thoughts. Does someone have any clue on how to configure xwiki for encrypted userPassword stored in OpenLDAP please ? I guess sent password encrypted to LDAP server would be the best for security but anyway it's generally LDAP server work to encrypt received password, not client. I have password in my LDAP server (ApacheDS) stored encrypted and it works perfectly (it's even how I always used it). I don't know OpenLDAP very well but it should have some way to have encrypted password in the database even if the client sent not encrypted password. Thank you in advance for any information in this matter ! Best Regards, Ch. Gravier -- Dr.-Ing. Christophe Gravier DIOM laboratory - http://diom.telecom-st-etienne.fr/ TELECOM Saint-Étienne (formerly Istase) - http://www.telecom-st-etienne.fr/ Jabber ID : gravier.christo...@jabber.istase.com Homepage: http://diom.telecom-st-etienne.com/public/cgravier/ Research project: http://diom.istase.fr/satin/einst/ ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users -- Thomas Mortagne ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] XWiki authentication configuration for encrypted userPassword sotred in LDAP (SHA algorithm)
On Mon, Mar 9, 2009 at 13:08, Thomas Mortagne thomas.morta...@xwiki.com wrote: On Mon, Mar 9, 2009 at 11:47, Christophe GRAVIER christophe.grav...@telecom-st-etienne.fr wrote: Dear XWiki users, I have been looking for authenticating my xwiki users against a LDAP directory (OpenLdap, debian box), where the userPassword field is encrypted using the SHA algorithm. Unfortunately, I am not able to configure xwiki to encrypt the password entered by the user before the authentication and authorization process. I receive the following snip, after enabling ldap logging in a custom log4j.properties file as indicated in the doc: com.xpn.xwiki.XWikiException: Error number 8001 in 8: LDAP authentication failed: could not validate the password: wrong password for uid=gravier.christophe,ou=xxx,o=,c=fr The configuration is nevertheless good in overall, because I can log in if I store my password as plain text binary in my LDAP server (but I don't want it to be plain text in the LDAP server of course...). I have been searching the documentation, FAQ and user/dev mailing lists, and I only found encryption related to cookie storage, or SHA encryption for xwiki-webdav module (http://xwiki.markmail.org/message/k2r2qqu2twjputml?q=ldap+SHA ) developpers' thoughts. Does someone have any clue on how to configure xwiki for encrypted userPassword stored in OpenLDAP please ? I guess sent password encrypted to LDAP server would be the best for security but anyway it's generally LDAP server work to encrypt received password, not client. I have password in my LDAP server (ApacheDS) stored encrypted and it works perfectly (it's even how I always used it). I don't know OpenLDAP very well but it should have some way to have encrypted password in the database even if the client sent not encrypted password. FYI in my ldif file it look like: dn: cn=Horatio Hornblower,ou=people,o=sevenSeas objectclass: person objectclass: organizationalPerson objectclass: inetOrgPerson objectclass: top cn: Horatio Hornblower description: Capt. Horatio Hornblower, R.N givenname: Horatio sn: Hornblower uid: hhornblo mail: hhorn...@royalnavy.mod.uk userpassword: {SHA}nU4eI71bcnBGqeO0t9tXvY1u5oQ= note the {SHA} suffix in the password value. Thank you in advance for any information in this matter ! If encrypt the password on the client side is really needed you should add an issue on http://jira.xwiki.org Best Regards, Ch. Gravier -- Dr.-Ing. Christophe Gravier DIOM laboratory - http://diom.telecom-st-etienne.fr/ TELECOM Saint-Étienne (formerly Istase) - http://www.telecom-st-etienne.fr/ Jabber ID : gravier.christo...@jabber.istase.com Homepage: http://diom.telecom-st-etienne.com/public/cgravier/ Research project: http://diom.istase.fr/satin/einst/ ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users -- Thomas Mortagne -- Thomas Mortagne ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] XWiki authentication configuration for encrypted userPassword sotred in LDAP (SHA algorithm)
Thomas, Thank you for your answer. My userPassword attributes are encrypted using the SHA algorithm (therefore with the {SHA} prefix in the binary value, just like you have). Unfortunately, the OpenLDAP server I am using is not configured to accept Simple Bind authentication method. Best Regards, Christophe Le 9 mars 09 à 13:12, Thomas Mortagne a écrit : On Mon, Mar 9, 2009 at 13:08, Thomas Mortagne thomas.morta...@xwiki.com wrote: On Mon, Mar 9, 2009 at 11:47, Christophe GRAVIER christophe.grav...@telecom-st-etienne.fr wrote: Dear XWiki users, I have been looking for authenticating my xwiki users against a LDAP directory (OpenLdap, debian box), where the userPassword field is encrypted using the SHA algorithm. Unfortunately, I am not able to configure xwiki to encrypt the password entered by the user before the authentication and authorization process. I receive the following snip, after enabling ldap logging in a custom log4j.properties file as indicated in the doc: com.xpn.xwiki.XWikiException: Error number 8001 in 8: LDAP authentication failed: could not validate the password: wrong password for uid=gravier.christophe,ou=xxx,o=,c=fr The configuration is nevertheless good in overall, because I can log in if I store my password as plain text binary in my LDAP server (but I don't want it to be plain text in the LDAP server of course...). I have been searching the documentation, FAQ and user/dev mailing lists, and I only found encryption related to cookie storage, or SHA encryption for xwiki-webdav module (http://xwiki.markmail.org/message/k2r2qqu2twjputml?q=ldap+SHA ) developpers' thoughts. Does someone have any clue on how to configure xwiki for encrypted userPassword stored in OpenLDAP please ? I guess sent password encrypted to LDAP server would be the best for security but anyway it's generally LDAP server work to encrypt received password, not client. I have password in my LDAP server (ApacheDS) stored encrypted and it works perfectly (it's even how I always used it). I don't know OpenLDAP very well but it should have some way to have encrypted password in the database even if the client sent not encrypted password. FYI in my ldif file it look like: dn: cn=Horatio Hornblower,ou=people,o=sevenSeas objectclass: person objectclass: organizationalPerson objectclass: inetOrgPerson objectclass: top cn: Horatio Hornblower description: Capt. Horatio Hornblower, R.N givenname: Horatio sn: Hornblower uid: hhornblo mail: hhorn...@royalnavy.mod.uk userpassword: {SHA}nU4eI71bcnBGqeO0t9tXvY1u5oQ= note the {SHA} suffix in the password value. Thank you in advance for any information in this matter ! If encrypt the password on the client side is really needed you should add an issue on http://jira.xwiki.org Best Regards, Ch. Gravier -- Dr.-Ing. Christophe Gravier DIOM laboratory - http://diom.telecom-st-etienne.fr/ TELECOM Saint-Étienne (formerly Istase) - http://www.telecom-st-etienne.fr/ Jabber ID : gravier.christo...@jabber.istase.com Homepage: http://diom.telecom-st-etienne.com/public/cgravier/ Research project: http://diom.istase.fr/satin/einst/ ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users -- Thomas Mortagne -- Thomas Mortagne ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users