Bug 478179 - MIGRATED_FROM_JIRA: SSHA Support for LDAP Authentication
Summary: MIGRATED_FROM_JIRA: SSHA Support for LDAP Authentication
Keywords:
Status: CLOSED EOL
Alias: None
Product: penrose
Classification: Retired
Component: Engine
Version: 2.0
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Endi Sukma Dewata
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks: 471500
TreeView+ depends on / blocked
 
Reported: 2008-12-27 08:06 UTC by Chandrasekar Kannan
Modified: 2020-03-27 19:36 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2020-03-27 19:36:38 UTC
Embargoed:

Attachments (Terms of Use)

Description Chandrasekar Kannan 2008-12-27 08:06:36 UTC 
I would like to authenticate user using SSHA (salted SHA) encoded password (in the userPassword field). This method is available in other LDAP (OpenLDAP), and this is much more secure than SHA or MD5...

If i try to use this method i get the following error message :
[02/27/2007 16:52:40] SSHA MessageDigest not available
java.security.NoSuchAlgorithmException: SSHA MessageDigest not available
        at sun.security.jca.GetInstance.getInstance(GetInstance.java:142)
        at java.security.Security.getImpl(Security.java:659)
        at java.security.MessageDigest.getInstance(MessageDigest.java:129)
        at org.safehaus.penrose.util.PasswordUtil.encrypt(PasswordUtil.java:96)
        at org.safehaus.penrose.util.PasswordUtil.encrypt(PasswordUtil.java:80)
        at org.safehaus.penrose.util.PasswordUtil.comparePassword(PasswordUtil.java:224)
        at org.safehaus.penrose.util.PasswordUtil.comparePassword(PasswordUtil.java:203)
        at org.safehaus.penrose.handler.BindHandler.performBind(BindHandler.java:125)
        at org.safehaus.penrose.handler.BindHandler.bind(BindHandler.java:58)
        at org.safehaus.penrose.handler.Handler.bind(Handler.java:218)
        at org.safehaus.penrose.session.PenroseSession.bind(PenroseSession.java:120)
        at org.safehaus.penrose.ldap.PenroseAuthenticator.authenticate(PenroseAuthenticator.java:89)
        at org.apache.directory.server.core.authn.AuthenticationService.bind(AuthenticationService.java:488)
        at org.apache.directory.server.core.interceptor.InterceptorChain$Entry$1.bind(InterceptorChain.java:1430)
        at org.apache.directory.server.core.normalization.NormalizationService.bind(NormalizationService.java:394)
        at org.apache.directory.server.core.interceptor.InterceptorChain$Entry$1.bind(InterceptorChain.java:1430)
        at org.safehaus.penrose.ldap.PenroseInterceptor.bind(PenroseInterceptor.java:130)
        at org.apache.directory.server.core.interceptor.InterceptorChain.bind(InterceptorChain.java:726)
        at org.apache.directory.server.core.partition.PartitionNexusProxy.bind(PartitionNexusProxy.java:670)
        at org.apache.directory.server.core.partition.PartitionNexusProxy.bind(PartitionNexusProxy.java:699)
        at org.apache.directory.server.core.jndi.ServerContext.<init>(ServerContext.java:126)
        at org.apache.directory.server.core.jndi.ServerDirContext.<init>(ServerDirContext.java:82)
        at org.apache.directory.server.core.jndi.ServerLdapContext.<init>(ServerLdapContext.java:63)
        at org.apache.directory.server.core.DefaultDirectoryService.getJndiContext(DefaultDirectoryService.java:170)
        at org.apache.directory.server.core.jndi.AbstractContextFactory.getInitialContext(AbstractContextFactory.java:137)
        at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
        at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
        at javax.naming.InitialContext.init(InitialContext.java:223)
        at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:134)
        at org.apache.directory.server.ldap.support.BindHandler.messageReceived(BindHandler.java:119)
        at org.apache.mina.handler.demux.DemuxingIoHandler.messageReceived(DemuxingIoHandler.java:144)
        at org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler.messageReceived(LdapProtocolProvider.java:403)
        at org.apache.mina.common.support.AbstractIoFilterChain$2.messageReceived(AbstractIoFilterChain.java:189)
        at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:502)
        at org.apache.mina.common.support.AbstractIoFilterChain.access$1000(AbstractIoFilterChain.java:52)
        at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceived(AbstractIoFilterChain.java:777)
        at org.apache.mina.filter.codec.support.SimpleProtocolDecoderOutput.flush(SimpleProtocolDecoderOutput.java:60)
        at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecFilter.java:185)
        at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:502)
        at org.apache.mina.common.support.AbstractIoFilterChain.access$1000(AbstractIoFilterChain.java:52)
        at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceived(AbstractIoFilterChain.java:777)
        at org.apache.mina.filter.executor.ExecutorFilter.processEvent(ExecutorFilter.java:243)
        at org.apache.mina.filter.executor.ExecutorFilter$ProcessEventsRunnable.run(ExecutorFilter.java:305)
        at edu.emory.mathcs.backport.java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:665)
        at edu.emory.mathcs.backport.java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:690)
        at java.lang.Thread.run(Thread.java:619)


It would be great if this was supported! 
Thanks!
Additional Comments From jimyang dated Wed Feb 28 12:09:13 CST 2007 
Temporary solution

Please refer to http://docs.safehaus.org/display/DISC/Custom+Password+Encryption for HOWTO and Code Example. 

Additional Comments From endisd dated Thu May 17 21:18:20 CDT 2007 
Penrose 1.2 has a new API that allows changing request parameters including password in all LDAP operations. The password type has been converted into byte array.


=========================================================
Issue dump from jira
$VAR1 = {
          'priority' => '4',
          'customFieldValues' => [],
          'project' => 'PENROSE',
          'status' => '5',
          'components' => [
                            {
                              'name' => 'Engine',
                              'id' => '10009'
                            }
                          ],
          'reporter' => 'hubertf',
          'key' => 'PENROSE-205',
          'assignee' => 'jimyang',
          'summary' => 'SSHA Support for LDAP Authentication',
          'id' => '10608',
          'updated' => '2007-05-17 21:18:20.0',
          'votes' => '0',
          'fixVersions' => [
                           {
                             'releaseDate' => '2007-05-18 00:00:00.0',
                             'sequence' => '22',
                             'name' => 'Penrose-1.2',
                             'released' => 'true',
                             'id' => '10088',
                             'archived' => 'false'
                           }
                         ],
          'description' => 'I would like to authenticate user using SSHA (salted SHA) encoded password (in the userPassword field). This method is available in other LDAP (OpenLDAP), and this is much more secure than SHA or MD5...

If i try to use this method i get the following error message :
[02/27/2007 16:52:40] SSHA MessageDigest not available
java.security.NoSuchAlgorithmException: SSHA MessageDigest not available
        at sun.security.jca.GetInstance.getInstance(GetInstance.java:142)
        at java.security.Security.getImpl(Security.java:659)
        at java.security.MessageDigest.getInstance(MessageDigest.java:129)
        at org.safehaus.penrose.util.PasswordUtil.encrypt(PasswordUtil.java:96)
        at org.safehaus.penrose.util.PasswordUtil.encrypt(PasswordUtil.java:80)
        at org.safehaus.penrose.util.PasswordUtil.comparePassword(PasswordUtil.java:224)
        at org.safehaus.penrose.util.PasswordUtil.comparePassword(PasswordUtil.java:203)
        at org.safehaus.penrose.handler.BindHandler.performBind(BindHandler.java:125)
        at org.safehaus.penrose.handler.BindHandler.bind(BindHandler.java:58)
        at org.safehaus.penrose.handler.Handler.bind(Handler.java:218)
        at org.safehaus.penrose.session.PenroseSession.bind(PenroseSession.java:120)
        at org.safehaus.penrose.ldap.PenroseAuthenticator.authenticate(PenroseAuthenticator.java:89)
        at org.apache.directory.server.core.authn.AuthenticationService.bind(AuthenticationService.java:488)
        at org.apache.directory.server.core.interceptor.InterceptorChain$Entry$1.bind(InterceptorChain.java:1430)
        at org.apache.directory.server.core.normalization.NormalizationService.bind(NormalizationService.java:394)
        at org.apache.directory.server.core.interceptor.InterceptorChain$Entry$1.bind(InterceptorChain.java:1430)
        at org.safehaus.penrose.ldap.PenroseInterceptor.bind(PenroseInterceptor.java:130)
        at org.apache.directory.server.core.interceptor.InterceptorChain.bind(InterceptorChain.java:726)
        at org.apache.directory.server.core.partition.PartitionNexusProxy.bind(PartitionNexusProxy.java:670)
        at org.apache.directory.server.core.partition.PartitionNexusProxy.bind(PartitionNexusProxy.java:699)
        at org.apache.directory.server.core.jndi.ServerContext.<init>(ServerContext.java:126)
        at org.apache.directory.server.core.jndi.ServerDirContext.<init>(ServerDirContext.java:82)
        at org.apache.directory.server.core.jndi.ServerLdapContext.<init>(ServerLdapContext.java:63)
        at org.apache.directory.server.core.DefaultDirectoryService.getJndiContext(DefaultDirectoryService.java:170)
        at org.apache.directory.server.core.jndi.AbstractContextFactory.getInitialContext(AbstractContextFactory.java:137)
        at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
        at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
        at javax.naming.InitialContext.init(InitialContext.java:223)
        at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:134)
        at org.apache.directory.server.ldap.support.BindHandler.messageReceived(BindHandler.java:119)
        at org.apache.mina.handler.demux.DemuxingIoHandler.messageReceived(DemuxingIoHandler.java:144)
        at org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler.messageReceived(LdapProtocolProvider.java:403)
        at org.apache.mina.common.support.AbstractIoFilterChain$2.messageReceived(AbstractIoFilterChain.java:189)
        at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:502)
        at org.apache.mina.common.support.AbstractIoFilterChain.access$1000(AbstractIoFilterChain.java:52)
        at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceived(AbstractIoFilterChain.java:777)
        at org.apache.mina.filter.codec.support.SimpleProtocolDecoderOutput.flush(SimpleProtocolDecoderOutput.java:60)
        at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecFilter.java:185)
        at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:502)
        at org.apache.mina.common.support.AbstractIoFilterChain.access$1000(AbstractIoFilterChain.java:52)
        at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceived(AbstractIoFilterChain.java:777)
        at org.apache.mina.filter.executor.ExecutorFilter.processEvent(ExecutorFilter.java:243)
        at org.apache.mina.filter.executor.ExecutorFilter$ProcessEventsRunnable.run(ExecutorFilter.java:305)
        at edu.emory.mathcs.backport.java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:665)
        at edu.emory.mathcs.backport.java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:690)
        at java.lang.Thread.run(Thread.java:619)


It would be great if this was supported! 
Thanks!',
          'affectsVersions' => [],
          'created' => '2007-02-27 10:33:00.0',
          'environment' => 'Linux',
          'resolution' => '1',
          'type' => '4'
        };


=========================================================
Comment 1 Chandrasekar Kannan 2008-12-27 08:06:38 UTC 
Marking bug as MODIFIED as it was already resolved in Jira - PENROSE-205
Note You need to log in before you can comment on or make changes to this bug.