OpenLDAP + java + changing user's passwords

[Eric Gutierrez]

I've got a -working- (work-in-progress) test program below that
changes a non-encrypted attribute to some other non-encrypted value
(change non-encrypted password program) of a Linux OpenLDAP server.

Yes/No Questions: (need to ask, cause my soon-to-be new LDAP server
-Sun Directory Server will likely use SSHA1 for user's passwords)


1. Will the user be able login with the new password from the program
below if LDAP server is expecting the password to be encrypted in
SSHA1 (or some other method)?

2. Will LDAP automatically encrypt the new plain text password for me
when I run the program below? --how I wish...

3. Will I need to write code to encrypt the plain text password to
SSHA1 before giving it to the LDAP server? If yes, where do I start -
any API's out there to do this fast?

Thanks for any tips.

eric


====================
JAVA CODE:
====================
import java.util.*;
import netscape.ldap.*;
....
LDAPConnection ld = new LDAPConnection();
ld.connect (hostname, 389);
ld.authenticate ("cn=Manager,dc=cet,dc=co","secret");
....
LDAPModificationSet mod
= new LDAPModificationSet();
LDAPAttribute an
= new LDAPAttribute ("attrib_password","somenewtxtpassword");
mod.add (LDAPModification.REPLACE,an);
ld.modify ("uid=sometestuser,ou=people,dc=cet,dc=co",mod);
....
ld.disconnect();
====================

 

[JScoobyCed]

1. Will the user be able login with the new password from the program
below if LDAP server is expecting the password to be encrypted in
SSHA1 (or some other method)?

2. Will LDAP automatically encrypt the new plain text password for me
when I run the program below? --how I wish...

3. Will I need to write code to encrypt the plain text password to
SSHA1 before giving it to the LDAP server? If yes, where do I start -
any API's out there to do this fast?

Hi,

I am currently working with LDAP servers (Active Directory and Sun
iPlanet), but only in one way reading (that is, I read values from the
LDAP server, but I don't write any).
Password are encrypted on both server, but when I send a query to create
a context, I use the clear text password. I have no problem with that.
Now if I read that password, of course I got binary values for the
encrypted password.
I would say you don't need to encrypt the password to send it to your
LDAP server. But in fact that depends on the API you are using. I see
you use some netscape package. You should look at the documentation that
goes with that API.
Now if you need to encrypt data, you should have a look at the JCE API
(Java Cryptography Extension) http://java.sun.com/products/jce/index-14.html
JCE is part of the J2SDK since it's 1.4.x version. Quoted:
"Support for the following algorithms by the SunJCE provider:

* DES
* DESede
* AES (with Java 2 SDK, v 1.4.2)
* Blowfish
* PBEWithMD5AndDES
* PBEWithMD5AndTripleDES
* Diffie-Hellman key agreement among multiple parties
* HmacMD5
* HmacSHA1
"

 

[Anzime]

Hi,

I am currently working with LDAP servers (Active Directory and Sun
iPlanet), but only in one way reading (that is, I read values from the
LDAP server, but I don't write any).
Password are encrypted on both server, but when I send a query to create
a context, I use the clear text password. I have no problem with that.
Now if I read that password, of course I got binary values for the
encrypted password.
I would say you don't need to encrypt the password to send it to your
LDAP server. But in fact that depends on the API you are using. I see
you use some netscape package. You should look at the documentation that
goes with that API.
Now if you need to encrypt data, you should have a look at the JCE API
(Java Cryptography Extension)
http://java.sun.com/products/jce/index-14.html
JCE is part of the J2SDK since it's 1.4.x version. Quoted:
"Support for the following algorithms by the SunJCE provider:

* DES
* DESede
* AES (with Java 2 SDK, v 1.4.2)
* Blowfish
* PBEWithMD5AndDES
* PBEWithMD5AndTripleDES
* Diffie-Hellman key agreement among multiple parties
* HmacMD5
* HmacSHA1
"

hash your password with using SHA1, create a LDAPAttribute with the
hash, and call modify on the connection.