Bug 478179 - MIGRATED_FROM_JIRA: SSHA Support for LDAP Authentication
MIGRATED_FROM_JIRA: SSHA Support for LDAP Authentication
Status: MODIFIED
Product: penrose
Classification: Retired
Component: Engine (Show other bugs)
2.0
All Linux
low Severity low
: ---
: ---
Assigned To: Endi Sukma Dewata
Ben Levenson
:
Depends On:
Blocks: 471500
  Show dependency treegraph
 
Reported: 2008-12-27 03:06 EST by Chandrasekar Kannan
Modified: 2018-02-07 15:48 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Chandrasekar Kannan 2008-12-27 03:06:36 EST
I would like to authenticate user using SSHA (salted SHA) encoded password (in the userPassword field). This method is available in other LDAP (OpenLDAP), and this is much more secure than SHA or MD5...

If i try to use this method i get the following error message :
[02/27/2007 16:52:40] SSHA MessageDigest not available
java.security.NoSuchAlgorithmException: SSHA MessageDigest not available
        at sun.security.jca.GetInstance.getInstance(GetInstance.java:142)
        at java.security.Security.getImpl(Security.java:659)
        at java.security.MessageDigest.getInstance(MessageDigest.java:129)
        at org.safehaus.penrose.util.PasswordUtil.encrypt(PasswordUtil.java:96)
        at org.safehaus.penrose.util.PasswordUtil.encrypt(PasswordUtil.java:80)
        at org.safehaus.penrose.util.PasswordUtil.comparePassword(PasswordUtil.java:224)
        at org.safehaus.penrose.util.PasswordUtil.comparePassword(PasswordUtil.java:203)
        at org.safehaus.penrose.handler.BindHandler.performBind(BindHandler.java:125)
        at org.safehaus.penrose.handler.BindHandler.bind(BindHandler.java:58)
        at org.safehaus.penrose.handler.Handler.bind(Handler.java:218)
        at org.safehaus.penrose.session.PenroseSession.bind(PenroseSession.java:120)
        at org.safehaus.penrose.ldap.PenroseAuthenticator.authenticate(PenroseAuthenticator.java:89)
        at org.apache.directory.server.core.authn.AuthenticationService.bind(AuthenticationService.java:488)
        at org.apache.directory.server.core.interceptor.InterceptorChain$Entry$1.bind(InterceptorChain.java:1430)
        at org.apache.directory.server.core.normalization.NormalizationService.bind(NormalizationService.java:394)
        at org.apache.directory.server.core.interceptor.InterceptorChain$Entry$1.bind(InterceptorChain.java:1430)
        at org.safehaus.penrose.ldap.PenroseInterceptor.bind(PenroseInterceptor.java:130)
        at org.apache.directory.server.core.interceptor.InterceptorChain.bind(InterceptorChain.java:726)
        at org.apache.directory.server.core.partition.PartitionNexusProxy.bind(PartitionNexusProxy.java:670)
        at org.apache.directory.server.core.partition.PartitionNexusProxy.bind(PartitionNexusProxy.java:699)
        at org.apache.directory.server.core.jndi.ServerContext.<init>(ServerContext.java:126)
        at org.apache.directory.server.core.jndi.ServerDirContext.<init>(ServerDirContext.java:82)
        at org.apache.directory.server.core.jndi.ServerLdapContext.<init>(ServerLdapContext.java:63)
        at org.apache.directory.server.core.DefaultDirectoryService.getJndiContext(DefaultDirectoryService.java:170)
        at org.apache.directory.server.core.jndi.AbstractContextFactory.getInitialContext(AbstractContextFactory.java:137)
        at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
        at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
        at javax.naming.InitialContext.init(InitialContext.java:223)
        at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:134)
        at org.apache.directory.server.ldap.support.BindHandler.messageReceived(BindHandler.java:119)
        at org.apache.mina.handler.demux.DemuxingIoHandler.messageReceived(DemuxingIoHandler.java:144)
        at org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler.messageReceived(LdapProtocolProvider.java:403)
        at org.apache.mina.common.support.AbstractIoFilterChain$2.messageReceived(AbstractIoFilterChain.java:189)
        at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:502)
        at org.apache.mina.common.support.AbstractIoFilterChain.access$1000(AbstractIoFilterChain.java:52)
        at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceived(AbstractIoFilterChain.java:777)
        at org.apache.mina.filter.codec.support.SimpleProtocolDecoderOutput.flush(SimpleProtocolDecoderOutput.java:60)
        at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecFilter.java:185)
        at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:502)
        at org.apache.mina.common.support.AbstractIoFilterChain.access$1000(AbstractIoFilterChain.java:52)
        at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceived(AbstractIoFilterChain.java:777)
        at org.apache.mina.filter.executor.ExecutorFilter.processEvent(ExecutorFilter.java:243)
        at org.apache.mina.filter.executor.ExecutorFilter$ProcessEventsRunnable.run(ExecutorFilter.java:305)
        at edu.emory.mathcs.backport.java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:665)
        at edu.emory.mathcs.backport.java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:690)
        at java.lang.Thread.run(Thread.java:619)


It would be great if this was supported! 
Thanks!
Additional Comments From jimyang dated Wed Feb 28 12:09:13 CST 2007 
Temporary solution

Please refer to http://docs.safehaus.org/display/DISC/Custom+Password+Encryption for HOWTO and Code Example. 

Additional Comments From endisd dated Thu May 17 21:18:20 CDT 2007 
Penrose 1.2 has a new API that allows changing request parameters including password in all LDAP operations. The password type has been converted into byte array.


=========================================================
Issue dump from jira
$VAR1 = {
          'priority' => '4',
          'customFieldValues' => [],
          'project' => 'PENROSE',
          'status' => '5',
          'components' => [
                            {
                              'name' => 'Engine',
                              'id' => '10009'
                            }
                          ],
          'reporter' => 'hubertf',
          'key' => 'PENROSE-205',
          'assignee' => 'jimyang',
          'summary' => 'SSHA Support for LDAP Authentication',
          'id' => '10608',
          'updated' => '2007-05-17 21:18:20.0',
          'votes' => '0',
          'fixVersions' => [
                           {
                             'releaseDate' => '2007-05-18 00:00:00.0',
                             'sequence' => '22',
                             'name' => 'Penrose-1.2',
                             'released' => 'true',
                             'id' => '10088',
                             'archived' => 'false'
                           }
                         ],
          'description' => 'I would like to authenticate user using SSHA (salted SHA) encoded password (in the userPassword field). This method is available in other LDAP (OpenLDAP), and this is much more secure than SHA or MD5...

If i try to use this method i get the following error message :
[02/27/2007 16:52:40] SSHA MessageDigest not available
java.security.NoSuchAlgorithmException: SSHA MessageDigest not available
        at sun.security.jca.GetInstance.getInstance(GetInstance.java:142)
        at java.security.Security.getImpl(Security.java:659)
        at java.security.MessageDigest.getInstance(MessageDigest.java:129)
        at org.safehaus.penrose.util.PasswordUtil.encrypt(PasswordUtil.java:96)
        at org.safehaus.penrose.util.PasswordUtil.encrypt(PasswordUtil.java:80)
        at org.safehaus.penrose.util.PasswordUtil.comparePassword(PasswordUtil.java:224)
        at org.safehaus.penrose.util.PasswordUtil.comparePassword(PasswordUtil.java:203)
        at org.safehaus.penrose.handler.BindHandler.performBind(BindHandler.java:125)
        at org.safehaus.penrose.handler.BindHandler.bind(BindHandler.java:58)
        at org.safehaus.penrose.handler.Handler.bind(Handler.java:218)
        at org.safehaus.penrose.session.PenroseSession.bind(PenroseSession.java:120)
        at org.safehaus.penrose.ldap.PenroseAuthenticator.authenticate(PenroseAuthenticator.java:89)
        at org.apache.directory.server.core.authn.AuthenticationService.bind(AuthenticationService.java:488)
        at org.apache.directory.server.core.interceptor.InterceptorChain$Entry$1.bind(InterceptorChain.java:1430)
        at org.apache.directory.server.core.normalization.NormalizationService.bind(NormalizationService.java:394)
        at org.apache.directory.server.core.interceptor.InterceptorChain$Entry$1.bind(InterceptorChain.java:1430)
        at org.safehaus.penrose.ldap.PenroseInterceptor.bind(PenroseInterceptor.java:130)
        at org.apache.directory.server.core.interceptor.InterceptorChain.bind(InterceptorChain.java:726)
        at org.apache.directory.server.core.partition.PartitionNexusProxy.bind(PartitionNexusProxy.java:670)
        at org.apache.directory.server.core.partition.PartitionNexusProxy.bind(PartitionNexusProxy.java:699)
        at org.apache.directory.server.core.jndi.ServerContext.<init>(ServerContext.java:126)
        at org.apache.directory.server.core.jndi.ServerDirContext.<init>(ServerDirContext.java:82)
        at org.apache.directory.server.core.jndi.ServerLdapContext.<init>(ServerLdapContext.java:63)
        at org.apache.directory.server.core.DefaultDirectoryService.getJndiContext(DefaultDirectoryService.java:170)
        at org.apache.directory.server.core.jndi.AbstractContextFactory.getInitialContext(AbstractContextFactory.java:137)
        at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
        at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
        at javax.naming.InitialContext.init(InitialContext.java:223)
        at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:134)
        at org.apache.directory.server.ldap.support.BindHandler.messageReceived(BindHandler.java:119)
        at org.apache.mina.handler.demux.DemuxingIoHandler.messageReceived(DemuxingIoHandler.java:144)
        at org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler.messageReceived(LdapProtocolProvider.java:403)
        at org.apache.mina.common.support.AbstractIoFilterChain$2.messageReceived(AbstractIoFilterChain.java:189)
        at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:502)
        at org.apache.mina.common.support.AbstractIoFilterChain.access$1000(AbstractIoFilterChain.java:52)
        at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceived(AbstractIoFilterChain.java:777)
        at org.apache.mina.filter.codec.support.SimpleProtocolDecoderOutput.flush(SimpleProtocolDecoderOutput.java:60)
        at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecFilter.java:185)
        at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:502)
        at org.apache.mina.common.support.AbstractIoFilterChain.access$1000(AbstractIoFilterChain.java:52)
        at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceived(AbstractIoFilterChain.java:777)
        at org.apache.mina.filter.executor.ExecutorFilter.processEvent(ExecutorFilter.java:243)
        at org.apache.mina.filter.executor.ExecutorFilter$ProcessEventsRunnable.run(ExecutorFilter.java:305)
        at edu.emory.mathcs.backport.java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:665)
        at edu.emory.mathcs.backport.java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:690)
        at java.lang.Thread.run(Thread.java:619)


It would be great if this was supported! 
Thanks!',
          'affectsVersions' => [],
          'created' => '2007-02-27 10:33:00.0',
          'environment' => 'Linux',
          'resolution' => '1',
          'type' => '4'
        };


=========================================================
Comment 1 Chandrasekar Kannan 2008-12-27 03:06:38 EST
Marking bug as MODIFIED as it was already resolved in Jira - PENROSE-205

Note You need to log in before you can comment on or make changes to this bug.