OpenDJ: Using pre-encoded passwords

OpenDJ Community Logo By default OpenDJ hashes passwords such that the clear text versions are no longer available after the data has been imported. For example, you might find entries such as the following in exported LDIF.

dn: uid=bjensen,ou=People,dc=example,dc=com
...
userPassword: {SSHA}87Lko/hZ+ls8T+mdlBj+FjwQYkcR6ly6X5W3Xw==
...

It turns out that you can import the LDIF with pre-encoded passwords directly into OpenDJ, at least versions 2.4.3 and later. (Technically, this works for supported algorithms like SSHA shown in braces in the example above. For a list of supported algorithms for password encryption, run encode-password -l.)

Sometimes you want to update the password with a pre-encoded value, however. Yet OpenDJ default password policy does not let you do so.

$ cat /path/to/abarnes-pwd.ldif
dn: uid=abarnes,ou=people,dc=example,dc=com
changetype: modify
replace: userPassword
userPassword: {SSHA}9RvNtFy7ug0YYk4JZGlyBUfhVFfOJwWgqe9+rA==

$ ldapmodify -p 1389 -D "cn=Directory Manager"
 -w password -f /path/to/abarnes-pwd.ldif
Processing MODIFY request for
 uid=abarnes,ou=people,dc=example,dc=com
MODIFY operation failed
Result Code:  53 (Unwilling to Perform)
Additional Information:  User passwords may
 not be provided in pre-encoded form

You can change the default behavior by modifying the advanced password policy property, allow-pre-encoded-passwords, by using the dsconfig command.

$ dsconfig -p 4444 -h `hostname`
 -D "cn=Directory Manager" -w password
 set-password-policy-prop
 --policy-name "Default Password Policy"
 --set allow-pre-encoded-passwords:true -X -n
$ ldapmodify -p 1389 -D "cn=Directory Manager"
 -w password -f /path/to/abarnes-pwd.ldif
Processing MODIFY request for
 uid=abarnes,ou=people,dc=example,dc=com
MODIFY operation successful for DN
 uid=abarnes,ou=people,dc=example,dc=com
$ ldapsearch -p 1389
 -D "uid=abarnes,ou=people,dc=example,dc=com"
 -w password -b dc=example,dc=com
 uid=abarnes userPassword
dn: uid=abarnes,ou=People,dc=example,dc=com
userPassword: {SSHA}9RvNtFy7ug0YYk4JZGlyBUfhVFfOJwWgqe9+rA==

For more on password policy configuration, check out the draft admin guide chapter on the subject.

About these ads

10 Comments

Filed under Directory Services and LDAP

10 responses to “OpenDJ: Using pre-encoded passwords

  1. Using pre-encoded passwords might prevent the directory server from enforcing password policy items such as password quality, and for that reason alone, is a bad idea.

  2. Good point, Terry.

    In fact the only use case that comes to mind for putting pre-encoded userPassword values back into the directory is when importing the data from LDIF. What are the use cases for authPassword, as in http://tools.ietf.org/html/rfc3112?

  3. A common use case for RFC3112 would be in conjunction with RFC3062 and server-generated passwords.

  4. Maybe I’m going about things the wrong way? Advice appreciated but I am importing a couple of thousand users from an openldap installation to a new OpenDJ server. This will allow me to import the current user passwords without having to enforce a change for everybody.

    The user base is mainly student and it is a bit like herding cats so I wish to minimise change for them.

  5. Hello David,

    Before trying to import the OpenLDAP data into OpenDJ, make sure that the OpenLDAP schema definitions are also available in OpenDJ. Ludovic Poitou has written a script to convert OpenLDAP schema, http://ludopoitou.wordpress.com/2009/07/31/updated-schema-convert-py-script-for-opends/ to help with that step. The Admin Guide chapter on Schema might help once you’ve converted the OpenLDAP schema and are wondering what to do then, http://opendj.forgerock.org/doc/admin-guide/OpenDJ-Admin-Guide.html#chap-schema

    Although you don’t want all users to have to replace their passwords right away, you still probably want to set up a password policy that has them change passwords eventually, and then use acceptable passwords when they do. There’s a chapter in the Admin Guide about password policies, http://opendj.forgerock.org/doc/admin-guide/OpenDJ-Admin-Guide.html#chap-pwd-policy
    It’s possible to set up OpenDJ to send mail to active users, warning them for example about password expiration. That’s described in towards the end of the chapter on account lockout, http://opendj.forgerock.org/doc/admin-guide/OpenDJ-Admin-Guide.html#chap-account-lockout

    Hope it helps. Regards,
    Mark

  6. Good day!
    Could you help me please, is there some ability to bind a user by using a pre-encoded password. For example
    dn=”displayname=antonius,ou=Users,ou=Public,dc=rlt,dc=ssoauth,dc=net”
    userPassword=”{SHA}eyGEismvNb4N2y1rn8OFGTTbhCA=”
    I’ve enabled allow-pre-encoded-passwords flag and provided identical userPassword attribute, but this solution doesn’t work for me. Is there some tricks or this ability is not supported specially?
    Thanks in advance.

    • Hi,

      Are you sure that the password policy that applies to the user entry has allow-pre-encoded-passwords:true ?

      I just tried with a recent build from trunk, 20130624122232Z, and the feature works fine for me:

      $ encode-password -c password -s SHA
      Encoded Password:  "{SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g="
      $ dsconfig set-password-policy-prop --policy-name "Default Password Policy" --set allow-pre-encoded-passwords:true --hostname opendj.example.com --port 4444 --bindDN "cn=Directory Manager" --bindPassword password --trustAll --no-prompt
      $ cat new-user.ldif 
      dn: uid=demo,ou=People,dc=example,dc=com
      cn: demo
      objectClass: person
      objectClass: organizationalPerson
      objectClass: inetOrgPerson
      objectClass: top
      sn: demo
      uid: demo
      userPassword: {SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g=
      
      $ ldapmodify --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --defaultAdd --defaultAdd --filename new-user.ldif 
      Processing ADD request for uid=demo,ou=People,dc=example,dc=com
      ADD operation successful for DN uid=demo,ou=People,dc=example,dc=com
      $ ldapsearch --port 1389 --bindDN uid=demo,ou=People,dc=example,dc=com --bindPassword password --baseDN dc=example,dc=com "(uid=demo)"
      dn: uid=demo,ou=People,dc=example,dc=com
      userPassword: {SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g=
      objectClass: person
      objectClass: organizationalPerson
      objectClass: inetOrgPerson
      objectClass: top
      uid: demo
      cn: demo
      sn: demo
      
      
      • If we make a little change
        $ ldapsearch –port 1389 –bindDN uid=demo,ou=People,dc=example,dc=com –bindPassword {SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g= –baseDN dc=example,dc=com “(uid=demo)”
        Will it work too?
        I need to bind my user by using the encoded password version.

  7. Hi,

    OpenDJ is going to see the encoding scheme, {SHA}, on the stored password and use it to encode what you send it as the password before comparing the encoded value with the value of userPassword.

    Regards,
    Mark

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s