On Mon, Mar 9, 2009 at 13:08, Thomas Mortagne <[email protected]> wrote: > On Mon, Mar 9, 2009 at 11:47, Christophe GRAVIER > <[email protected]> wrote: >> Dear XWiki users, >> >> I have been looking for authenticating my xwiki users against a LDAP >> directory (OpenLdap, debian box), where the userPassword field is >> encrypted using the SHA algorithm. >> >> Unfortunately, I am not able to configure xwiki to encrypt the >> password entered by the user before the authentication and >> authorization process. >> >> I receive the following snip, after enabling ldap logging in a custom >> log4j.properties file as indicated in the doc: >> com.xpn.xwiki.XWikiException: Error number 8001 in 8: LDAP >> authentication failed: could not validate the password: wrong password >> for uid=gravier.christophe,ou=xxx,o=yyyy,c=fr >> >> The configuration is nevertheless good in overall, because I can log >> in if I store my password as plain text binary in my LDAP server (but >> I don't want it to be plain text in the LDAP server of course...). >> >> I have been searching the documentation, FAQ and user/dev mailing >> lists, and I only found encryption related to cookie storage, or SHA >> encryption for xwiki-webdav module >> (http://xwiki.markmail.org/message/k2r2qqu2twjputml?q=ldap+SHA >> ) developpers' thoughts. >> >> Does someone have any clue on how to configure xwiki for encrypted >> userPassword stored in OpenLDAP please ? >> > > I guess sent password encrypted to LDAP server would be the best for > security but anyway it's generally LDAP server work to encrypt > received password, not client. I have password in my LDAP server > (ApacheDS) stored encrypted and it works perfectly (it's even how I > always used it). I don't know OpenLDAP very well but it should have > some way to have encrypted password in the database even if the client > sent not encrypted password.
FYI in my ldif file it look like: dn: cn=Horatio Hornblower,ou=people,o=sevenSeas objectclass: person objectclass: organizationalPerson objectclass: inetOrgPerson objectclass: top cn: Horatio Hornblower description: Capt. Horatio Hornblower, R.N givenname: Horatio sn: Hornblower uid: hhornblo mail: [email protected] userpassword: {SHA}nU4eI71bcnBGqeO0t9tXvY1u5oQ= note the "{SHA}" suffix in the password value. > >> Thank you in advance for any information in this matter ! If encrypt the password on the client side is really needed you should add an issue on http://jira.xwiki.org >> >> Best Regards, >> >> Ch. Gravier >> >> -- >> Dr.-Ing. Christophe Gravier >> DIOM laboratory - http://diom.telecom-st-etienne.fr/ >> TELECOM Saint-Étienne (formerly "Istase") - http://www.telecom-st-etienne.fr/ >> >> Jabber ID : [email protected] >> Homepage: http://diom.telecom-st-etienne.com/public/cgravier/ >> Research project: http://diom.istase.fr/satin/einst/ >> _______________________________________________ >> users mailing list >> [email protected] >> http://lists.xwiki.org/mailman/listinfo/users >> > > > > -- > Thomas Mortagne > -- Thomas Mortagne _______________________________________________ users mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/users
