You are viewing a plain text version of this content. The canonical link for it is here.
Posted to api@directory.apache.org by igyu <ig...@21cn.com> on 2021/09/15 07:33:11 UTC

How can I use CRYPT

<dependency>
            <groupId>org.apache.directory.api</groupId>
            <artifactId>api-all</artifactId>
            <version>2.0.1</version>
        </dependency>


        <dependency>
            <groupId>org.apache.directory.server</groupId>
            <artifactId>apacheds-core-api</artifactId>
            <version>2.0.0.AM26</version>
        </dependency>

connection.add(new DefaultEntry(
                    "uid=" + name + ",ou=people,dc=join,dc=com",
                    "objectClass: account",
                    "objectClass: posixAccount",
                    "objectClass: shadowAccount",
                    "objectClass: top",
                    "cn", name,
                    "gidNumber", gidNumber,
                    "homeDirectory", home,
                    "uidNumber", uidNumber,
                    "userPassword", upassword
            ));

if I use this userPassword is plaintest

How can I use CRYPT or md5



igyu

Re: How can I use CRYPT

Posted by Emmanuel Lécharny <el...@gmail.com>.
Hi,

your question is not clear.

1) When you say 'how can I use Crypt or MD5', you don't tell us in which 
context. Typically, as you add some API code, it may be that you want to 
store MD5 or Crypt hashed password in a LDAP server, but you don't tell 
us which LDAP server you are referring to.

2) Assuming it's not ApacheDS, you probably want to use slappasswd to 
inject new users. It allows you to specify the Hash function to use for 
your password.

3) If you want to do that programatically, using Apache LDAP API, youc 
an use the PasswordUtil.createStoragePassword() with one of the 
algorithms listed in 
org.apache.directory.api.ldap.model.constants.LdapSecurityConstants. For 
instance :

 > connection.add(new DefaultEntry(
 >                      "uid=" + name + ",ou=people,dc=join,dc=com",
 >                      "objectClass: account",
 >                      "objectClass: posixAccount",
 >                      "objectClass: shadowAccount",
 >                      "objectClass: top",
 >                      "cn", name,
 >                      "gidNumber", gidNumber,
 >                      "homeDirectory", home,
 >                      "uidNumber", uidNumber,
 >                      "userPassword", 
PasswordUtil.createStoragePassword( upassword, 
LdapSecurityConstants.HASH_METHOD_CRYPT )
 >              ));

4) Now, if you are using ApacheDS, you can also let the server itself do 
the work. There is an optionnal interceptor that can be added that will 
hash the provided password (either on a Add or on a Modify operation) 
with the configured hash algorithm. Here is a test class that 
demonstrates the feature:


     LdapConnection connection = IntegrationUtils.getAdminConnection( 
getService() );

     List<Interceptor> interceptors = 
classDirectoryService.getInterceptors();

     Class<?> clazz = CryptPasswordHashingInterceptor.class;
     Interceptor hashMech = null;
     hashMech = ( Interceptor ) clazz.newInstance();
     hashMech.init( classDirectoryService );
     interceptors.add( hashMech );

     classDirectoryService.setInterceptors( interceptors );

Here we just programatically added the crypt algorithm interceptor that 
will hash any added or modified password  using the bcrypt algorithm.
Note that you can do the same with a modified configuration, you just 
have to add the proper interceptor at the right place:

dn: 
ads-interceptorId=passwordHashingInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
objectclass: top
objectclass: ads-base
objectclass: ads-interceptor
objectclass: ads-hashInterceptor
ads-enabled: TRUE
ads-interceptororder: 9
ads-interceptorclassname: 
org.apache.directory.server.core.hash.CryptPasswordHashingInterceptor
ads-interceptorid: passwordHashingInterceptor
ads-hashAttribute: 2.5.4.35

Here, the position is 9, and if you have to add this config, be sure 
that the other interceptors are changed to reflect the addition of this 
one (ie the next interceptors ads-interceptororder will have to be 
incremented after the inesrtion. Like, if you had:

dn: 
ads-interceptorId=keyDerivationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
objectclass: top
objectclass: ads-base
objectclass: ads-interceptor
ads-enabled: FALSE
ads-interceptororder: 8
ads-interceptorclassname: 
org.apache.directory.server.core.kerberos.KeyDerivationInterceptor
ads-interceptorid: keyDerivationInterceptor

dn: 
ads-interceptorId=schemaInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
objectclass: top
objectclass: ads-base
objectclass: ads-interceptor
ads-interceptororder: 9
ads-interceptorclassname: 
org.apache.directory.server.core.schema.SchemaInterceptor
ads-interceptorid: schemaInterceptor
ads-enabled: TRUE

the adding the CryptPasswordHashingInterceptor configuration will result 
ion such a change:

dn: 
ads-interceptorId=keyDerivationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
objectclass: top
objectclass: ads-base
objectclass: ads-interceptor
ads-enabled: FALSE
ads-interceptororder: 8
ads-interceptorclassname: 
org.apache.directory.server.core.kerberos.KeyDerivationInterceptor
ads-interceptorid: keyDerivationInterceptor

dn: 
ads-interceptorId=passwordHashingInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
objectclass: top
objectclass: ads-base
objectclass: ads-interceptor
objectclass: ads-hashInterceptor
ads-enabled: TRUE
ads-interceptororder: 9
ads-interceptorclassname: 
org.apache.directory.server.core.hash.CryptPasswordHashingInterceptor
ads-interceptorid: passwordHashingInterceptor
ads-hashAttribute: 2.5.4.35

dn: 
ads-interceptorId=schemaInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config
objectclass: top
objectclass: ads-base
objectclass: ads-interceptor
ads-interceptororder: 10    <----------------- It was 9, it's now 10.
ads-interceptorclassname: 
org.apache.directory.server.core.schema.SchemaInterceptor
ads-interceptorid: schemaInterceptor
ads-enabled: TRUE


and so on.



I know that OpenLDAP has the same mechanism, but you'll have to check 
OpenLDAP doco for that.


I hope I answer your question...


On 15/09/2021 09:33, igyu wrote:
> <dependency>
>              <groupId>org.apache.directory.api</groupId>
>              <artifactId>api-all</artifactId>
>              <version>2.0.1</version>
>          </dependency>
> 
> 
>          <dependency>
>              <groupId>org.apache.directory.server</groupId>
>              <artifactId>apacheds-core-api</artifactId>
>              <version>2.0.0.AM26</version>
>          </dependency>
> 
> connection.add(new DefaultEntry(
>                      "uid=" + name + ",ou=people,dc=join,dc=com",
>                      "objectClass: account",
>                      "objectClass: posixAccount",
>                      "objectClass: shadowAccount",
>                      "objectClass: top",
>                      "cn", name,
>                      "gidNumber", gidNumber,
>                      "homeDirectory", home,
>                      "uidNumber", uidNumber,
>                      "userPassword", upassword
>              ));
> 
> if I use this userPassword is plaintest
> 
> How can I use CRYPT or md5
> 
> 
> 
> igyu
> 

-- 
*Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE
T. +33 (0)4 89 97 36 50
P. +33 (0)6 08 33 32 61
emmanuel.lecharny@busit.com https://www.busit.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: api-unsubscribe@directory.apache.org
For additional commands, e-mail: api-help@directory.apache.org