Thomas,
Thank you for your answer.
My userPassword attributes are encrypted using the SHA algorithm
(therefore with the {SHA} prefix in the binary value, just like you
have).
Unfortunately, the OpenLDAP server I am using is not configured to
accept Simple Bind authentication method.
Best Regards,
Christophe
Le 9 mars 09 à 13:12, Thomas Mortagne a écrit :
> On Mon, Mar 9, 2009 at 13:08, Thomas Mortagne <[email protected]
> > wrote:
>> On Mon, Mar 9, 2009 at 11:47, Christophe GRAVIER
>> <[email protected]> wrote:
>>> Dear XWiki users,
>>>
>>> I have been looking for authenticating my xwiki users against a LDAP
>>> directory (OpenLdap, debian box), where the userPassword field is
>>> encrypted using the SHA algorithm.
>>>
>>> Unfortunately, I am not able to configure xwiki to encrypt the
>>> password entered by the user before the authentication and
>>> authorization process.
>>>
>>> I receive the following snip, after enabling ldap logging in a
>>> custom
>>> log4j.properties file as indicated in the doc:
>>> com.xpn.xwiki.XWikiException: Error number 8001 in 8: LDAP
>>> authentication failed: could not validate the password: wrong
>>> password
>>> for uid=gravier.christophe,ou=xxx,o=yyyy,c=fr
>>>
>>> The configuration is nevertheless good in overall, because I can log
>>> in if I store my password as plain text binary in my LDAP server
>>> (but
>>> I don't want it to be plain text in the LDAP server of course...).
>>>
>>> I have been searching the documentation, FAQ and user/dev mailing
>>> lists, and I only found encryption related to cookie storage, or SHA
>>> encryption for xwiki-webdav module
>>> (http://xwiki.markmail.org/message/k2r2qqu2twjputml?q=ldap+SHA
>>> ) developpers' thoughts.
>>>
>>> Does someone have any clue on how to configure xwiki for encrypted
>>> userPassword stored in OpenLDAP please ?
>>>
>>
>> I guess sent password encrypted to LDAP server would be the best for
>> security but anyway it's generally LDAP server work to encrypt
>> received password, not client. I have password in my LDAP server
>> (ApacheDS) stored encrypted and it works perfectly (it's even how I
>> always used it). I don't know OpenLDAP very well but it should have
>> some way to have encrypted password in the database even if the
>> client
>> sent not encrypted password.
>
> FYI in my ldif file it look like:
>
> dn: cn=Horatio Hornblower,ou=people,o=sevenSeas
> objectclass: person
> objectclass: organizationalPerson
> objectclass: inetOrgPerson
> objectclass: top
> cn: Horatio Hornblower
> description: Capt. Horatio Hornblower, R.N
> givenname: Horatio
> sn: Hornblower
> uid: hhornblo
> mail: [email protected]
> userpassword: {SHA}nU4eI71bcnBGqeO0t9tXvY1u5oQ=
>
> note the "{SHA}" suffix in the password value.
>
>>
>>> Thank you in advance for any information in this matter !
>
> If encrypt the password on the client side is really needed you should
> add an issue on http://jira.xwiki.org
>
>>>
>>> Best Regards,
>>>
>>> Ch. Gravier
>>>
>>> --
>>> Dr.-Ing. Christophe Gravier
>>> DIOM laboratory - http://diom.telecom-st-etienne.fr/
>>> TELECOM Saint-Étienne (formerly "Istase") -
>>> http://www.telecom-st-etienne.fr/
>>>
>>> Jabber ID : [email protected]
>>> Homepage: http://diom.telecom-st-etienne.com/public/cgravier/
>>> Research project: http://diom.istase.fr/satin/einst/
>>> _______________________________________________
>>> users mailing list
>>> [email protected]
>>> http://lists.xwiki.org/mailman/listinfo/users
>>>
>>
>>
>>
>> --
>> Thomas Mortagne
>>
>
>
>
> --
> Thomas Mortagne
> _______________________________________________
> users mailing list
> [email protected]
> http://lists.xwiki.org/mailman/listinfo/users
_______________________________________________
users mailing list
[email protected]
http://lists.xwiki.org/mailman/listinfo/users
