By default OpenDJ hashes passwords such that the clear text versions are no longer available after the data has been imported. For example, you might find entries such as the following in exported LDIF.
dn: uid=bjensen,ou=People,dc=example,dc=com ... userPassword: {SSHA}87Lko/hZ+ls8T+mdlBj+FjwQYkcR6ly6X5W3Xw== ...
It turns out that you can import the LDIF with pre-encoded passwords directly into OpenDJ, at least versions 2.4.3 and later. (Technically, this works for supported algorithms like SSHA shown in braces in the example above. For a list of supported algorithms for password encryption, run encode-password -l
.)
Sometimes you want to update the password with a pre-encoded value, however. Yet OpenDJ default password policy does not let you do so.
$ cat /path/to/abarnes-pwd.ldif dn: uid=abarnes,ou=people,dc=example,dc=com changetype: modify replace: userPassword userPassword: {SSHA}9RvNtFy7ug0YYk4JZGlyBUfhVFfOJwWgqe9+rA== $ ldapmodify -p 1389 -D "cn=Directory Manager" -w password -f /path/to/abarnes-pwd.ldif Processing MODIFY request for uid=abarnes,ou=people,dc=example,dc=com MODIFY operation failed Result Code: 53 (Unwilling to Perform) Additional Information: User passwords may not be provided in pre-encoded form
You can change the default behavior by modifying the advanced password policy property, allow-pre-encoded-passwords
, by using the dsconfig
command.
$ dsconfig -p 4444 -h `hostname` -D "cn=Directory Manager" -w password set-password-policy-prop --policy-name "Default Password Policy" --set allow-pre-encoded-passwords:true -X -n $ ldapmodify -p 1389 -D "cn=Directory Manager" -w password -f /path/to/abarnes-pwd.ldif Processing MODIFY request for uid=abarnes,ou=people,dc=example,dc=com MODIFY operation successful for DN uid=abarnes,ou=people,dc=example,dc=com $ ldapsearch -p 1389 -D "uid=abarnes,ou=people,dc=example,dc=com" -w password -b dc=example,dc=com uid=abarnes userPassword dn: uid=abarnes,ou=People,dc=example,dc=com userPassword: {SSHA}9RvNtFy7ug0YYk4JZGlyBUfhVFfOJwWgqe9+rA==
For more on password policy configuration, check out the draft admin guide chapter on the subject.
Using pre-encoded passwords might prevent the directory server from enforcing password policy items such as password quality, and for that reason alone, is a bad idea.
Good point, Terry.
In fact the only use case that comes to mind for putting pre-encoded userPassword values back into the directory is when importing the data from LDIF. What are the use cases for authPassword, as in http://tools.ietf.org/html/rfc3112?
A common use case for RFC3112 would be in conjunction with RFC3062 and server-generated passwords.
Maybe I’m going about things the wrong way? Advice appreciated but I am importing a couple of thousand users from an openldap installation to a new OpenDJ server. This will allow me to import the current user passwords without having to enforce a change for everybody.
The user base is mainly student and it is a bit like herding cats so I wish to minimise change for them.
Hello David,
Before trying to import the OpenLDAP data into OpenDJ, make sure that the OpenLDAP schema definitions are also available in OpenDJ. Ludovic Poitou has written a script to convert OpenLDAP schema, http://ludopoitou.wordpress.com/2009/07/31/updated-schema-convert-py-script-for-opends/ to help with that step. The Admin Guide chapter on Schema might help once you’ve converted the OpenLDAP schema and are wondering what to do then, http://opendj.forgerock.org/doc/admin-guide/OpenDJ-Admin-Guide.html#chap-schema
Although you don’t want all users to have to replace their passwords right away, you still probably want to set up a password policy that has them change passwords eventually, and then use acceptable passwords when they do. There’s a chapter in the Admin Guide about password policies, http://opendj.forgerock.org/doc/admin-guide/OpenDJ-Admin-Guide.html#chap-pwd-policy
It’s possible to set up OpenDJ to send mail to active users, warning them for example about password expiration. That’s described in towards the end of the chapter on account lockout, http://opendj.forgerock.org/doc/admin-guide/OpenDJ-Admin-Guide.html#chap-account-lockout
Hope it helps. Regards,
Mark
Good day!
Could you help me please, is there some ability to bind a user by using a pre-encoded password. For example
dn=”displayname=antonius,ou=Users,ou=Public,dc=rlt,dc=ssoauth,dc=net”
userPassword=”{SHA}eyGEismvNb4N2y1rn8OFGTTbhCA=”
I’ve enabled allow-pre-encoded-passwords flag and provided identical userPassword attribute, but this solution doesn’t work for me. Is there some tricks or this ability is not supported specially?
Thanks in advance.
Hi,
Are you sure that the password policy that applies to the user entry has allow-pre-encoded-passwords:true ?
I just tried with a recent build from trunk, 20130624122232Z, and the feature works fine for me:
If we make a little change
$ ldapsearch –port 1389 –bindDN uid=demo,ou=People,dc=example,dc=com –bindPassword {SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g= –baseDN dc=example,dc=com “(uid=demo)”
Will it work too?
I need to bind my user by using the encoded password version.
Hi,
OpenDJ is going to see the encoding scheme, {SHA}, on the stored password and use it to encode what you send it as the password before comparing the encoded value with the value of userPassword.
Regards,
Mark
I understood, thanks a lot
Pingback: Export Crowd users and groups to ldap | Software Libero e non solo