subject:"Re\: \[xwiki\-users\] XWiki authentication configuration for encrypted userPassword sotred in LDAP \(SHA algorithm\)"

Re: [xwiki-users] XWiki authentication configuration for encrypted userPassword sotred in LDAP (SHA algorithm)

2009-03-09 Thread Thomas Mortagne

On Mon, Mar 9, 2009 at 11:47, Christophe GRAVIER
christophe.grav...@telecom-st-etienne.fr wrote:
 Dear XWiki users,

 I have been looking for authenticating my xwiki users against a LDAP
 directory (OpenLdap, debian box), where the userPassword field is
 encrypted using the SHA algorithm.

 Unfortunately, I am not able to configure xwiki to encrypt the
 password entered by the user before the authentication and
 authorization process.

 I receive the following snip, after enabling ldap logging in a custom
 log4j.properties file as indicated in the doc:
 com.xpn.xwiki.XWikiException: Error number 8001 in 8: LDAP
 authentication failed: could not validate the password: wrong password
 for uid=gravier.christophe,ou=xxx,o=,c=fr

 The configuration is nevertheless good in overall, because I can log
 in if I store my password as plain text binary in my LDAP server (but
 I don't want it to be plain text in the LDAP server of course...).

 I have been searching the documentation, FAQ and user/dev mailing
 lists, and I only found encryption related to cookie storage, or SHA
 encryption for xwiki-webdav module 
 (http://xwiki.markmail.org/message/k2r2qqu2twjputml?q=ldap+SHA
 ) developpers' thoughts.

 Does someone have any clue on how to configure xwiki for encrypted
 userPassword stored in OpenLDAP please ?


I guess sent password encrypted to LDAP server would be the best for
security but anyway it's generally LDAP server work to encrypt
received password, not client. I have password in my LDAP server
(ApacheDS) stored encrypted and it works perfectly (it's even how I
always used it). I don't know OpenLDAP very well but it should have
some way to have encrypted password in the database even if the client
sent not encrypted password.

 Thank you in advance for any information in this matter !

 Best Regards,

 Ch. Gravier

 --
 Dr.-Ing. Christophe Gravier
 DIOM laboratory - http://diom.telecom-st-etienne.fr/
 TELECOM Saint-Étienne (formerly Istase) - http://www.telecom-st-etienne.fr/

 Jabber ID : gravier.christo...@jabber.istase.com
 Homepage: http://diom.telecom-st-etienne.com/public/cgravier/
 Research project: http://diom.istase.fr/satin/einst/
 ___
 users mailing list
 users@xwiki.org
 http://lists.xwiki.org/mailman/listinfo/users




-- 
Thomas Mortagne
___
users mailing list
users@xwiki.org
http://lists.xwiki.org/mailman/listinfo/users

Re: [xwiki-users] XWiki authentication configuration for encrypted userPassword sotred in LDAP (SHA algorithm)

2009-03-09 Thread Thomas Mortagne

On Mon, Mar 9, 2009 at 13:08, Thomas Mortagne thomas.morta...@xwiki.com wrote:
 On Mon, Mar 9, 2009 at 11:47, Christophe GRAVIER
 christophe.grav...@telecom-st-etienne.fr wrote:
 Dear XWiki users,

 I have been looking for authenticating my xwiki users against a LDAP
 directory (OpenLdap, debian box), where the userPassword field is
 encrypted using the SHA algorithm.

 Unfortunately, I am not able to configure xwiki to encrypt the
 password entered by the user before the authentication and
 authorization process.

 I receive the following snip, after enabling ldap logging in a custom
 log4j.properties file as indicated in the doc:
 com.xpn.xwiki.XWikiException: Error number 8001 in 8: LDAP
 authentication failed: could not validate the password: wrong password
 for uid=gravier.christophe,ou=xxx,o=,c=fr

 The configuration is nevertheless good in overall, because I can log
 in if I store my password as plain text binary in my LDAP server (but
 I don't want it to be plain text in the LDAP server of course...).

 I have been searching the documentation, FAQ and user/dev mailing
 lists, and I only found encryption related to cookie storage, or SHA
 encryption for xwiki-webdav module 
 (http://xwiki.markmail.org/message/k2r2qqu2twjputml?q=ldap+SHA
 ) developpers' thoughts.

 Does someone have any clue on how to configure xwiki for encrypted
 userPassword stored in OpenLDAP please ?


 I guess sent password encrypted to LDAP server would be the best for
 security but anyway it's generally LDAP server work to encrypt
 received password, not client. I have password in my LDAP server
 (ApacheDS) stored encrypted and it works perfectly (it's even how I
 always used it). I don't know OpenLDAP very well but it should have
 some way to have encrypted password in the database even if the client
 sent not encrypted password.

FYI in my ldif file it look like:

dn: cn=Horatio Hornblower,ou=people,o=sevenSeas
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
objectclass: top
cn: Horatio Hornblower
description: Capt. Horatio Hornblower, R.N
givenname: Horatio
sn: Hornblower
uid: hhornblo
mail: hhorn...@royalnavy.mod.uk
userpassword: {SHA}nU4eI71bcnBGqeO0t9tXvY1u5oQ=

note the {SHA} suffix in the password value.


 Thank you in advance for any information in this matter !

If encrypt the password on the client side is really needed you should
add an issue on http://jira.xwiki.org


 Best Regards,

 Ch. Gravier

 --
 Dr.-Ing. Christophe Gravier
 DIOM laboratory - http://diom.telecom-st-etienne.fr/
 TELECOM Saint-Étienne (formerly Istase) - http://www.telecom-st-etienne.fr/

 Jabber ID : gravier.christo...@jabber.istase.com
 Homepage: http://diom.telecom-st-etienne.com/public/cgravier/
 Research project: http://diom.istase.fr/satin/einst/
 ___
 users mailing list
 users@xwiki.org
 http://lists.xwiki.org/mailman/listinfo/users




 --
 Thomas Mortagne




-- 
Thomas Mortagne
___
users mailing list
users@xwiki.org
http://lists.xwiki.org/mailman/listinfo/users

Re: [xwiki-users] XWiki authentication configuration for encrypted userPassword sotred in LDAP (SHA algorithm)

2009-03-09 Thread Christophe GRAVIER

Thomas,

Thank you for your answer.

My userPassword attributes are encrypted using the SHA algorithm  
(therefore with the {SHA} prefix in the binary value, just like you  
have).

Unfortunately, the OpenLDAP server I am using is not configured to  
accept Simple Bind authentication method.

Best Regards,

Christophe

Le 9 mars 09 à 13:12, Thomas Mortagne a écrit :

 On Mon, Mar 9, 2009 at 13:08, Thomas Mortagne thomas.morta...@xwiki.com 
  wrote:
 On Mon, Mar 9, 2009 at 11:47, Christophe GRAVIER
 christophe.grav...@telecom-st-etienne.fr wrote:
 Dear XWiki users,

 I have been looking for authenticating my xwiki users against a LDAP
 directory (OpenLdap, debian box), where the userPassword field is
 encrypted using the SHA algorithm.

 Unfortunately, I am not able to configure xwiki to encrypt the
 password entered by the user before the authentication and
 authorization process.

 I receive the following snip, after enabling ldap logging in a  
 custom
 log4j.properties file as indicated in the doc:
 com.xpn.xwiki.XWikiException: Error number 8001 in 8: LDAP
 authentication failed: could not validate the password: wrong  
 password
 for uid=gravier.christophe,ou=xxx,o=,c=fr

 The configuration is nevertheless good in overall, because I can log
 in if I store my password as plain text binary in my LDAP server  
 (but
 I don't want it to be plain text in the LDAP server of course...).

 I have been searching the documentation, FAQ and user/dev mailing
 lists, and I only found encryption related to cookie storage, or SHA
 encryption for xwiki-webdav module 
 (http://xwiki.markmail.org/message/k2r2qqu2twjputml?q=ldap+SHA
 ) developpers' thoughts.

 Does someone have any clue on how to configure xwiki for encrypted
 userPassword stored in OpenLDAP please ?


 I guess sent password encrypted to LDAP server would be the best for
 security but anyway it's generally LDAP server work to encrypt
 received password, not client. I have password in my LDAP server
 (ApacheDS) stored encrypted and it works perfectly (it's even how I
 always used it). I don't know OpenLDAP very well but it should have
 some way to have encrypted password in the database even if the  
 client
 sent not encrypted password.

 FYI in my ldif file it look like:

 dn: cn=Horatio Hornblower,ou=people,o=sevenSeas
 objectclass: person
 objectclass: organizationalPerson
 objectclass: inetOrgPerson
 objectclass: top
 cn: Horatio Hornblower
 description: Capt. Horatio Hornblower, R.N
 givenname: Horatio
 sn: Hornblower
 uid: hhornblo
 mail: hhorn...@royalnavy.mod.uk
 userpassword: {SHA}nU4eI71bcnBGqeO0t9tXvY1u5oQ=

 note the {SHA} suffix in the password value.


 Thank you in advance for any information in this matter !

 If encrypt the password on the client side is really needed you should
 add an issue on http://jira.xwiki.org


 Best Regards,

 Ch. Gravier

 --
 Dr.-Ing. Christophe Gravier
 DIOM laboratory - http://diom.telecom-st-etienne.fr/
 TELECOM Saint-Étienne (formerly Istase) - 
 http://www.telecom-st-etienne.fr/

 Jabber ID : gravier.christo...@jabber.istase.com
 Homepage: http://diom.telecom-st-etienne.com/public/cgravier/
 Research project: http://diom.istase.fr/satin/einst/
 ___
 users mailing list
 users@xwiki.org
 http://lists.xwiki.org/mailman/listinfo/users




 --
 Thomas Mortagne




 -- 
 Thomas Mortagne
 ___
 users mailing list
 users@xwiki.org
 http://lists.xwiki.org/mailman/listinfo/users

___
users mailing list
users@xwiki.org
http://lists.xwiki.org/mailman/listinfo/users

Re: [xwiki-users] XWiki authentication configuration for encrypted userPassword sotred in LDAP (SHA algorithm)

Re: [xwiki-users] XWiki authentication configuration for encrypted userPassword sotred in LDAP (SHA algorithm)

Re: [xwiki-users] XWiki authentication configuration for encrypted userPassword sotred in LDAP (SHA algorithm)

3 matches

Site Navigation

Mail list logo

Footer information