commit 30925d8af8acfd3586446cbae9da11130e844884
author Marc Kupietz <kupietz@ids-mannheim.de> Fri May 06 15:33:52 2022 +0200
committer Marc Kupietz <kupietz@ids-mannheim.de> Sat May 14 15:56:40 2022 +0200
tree 20119802fc7b9cf5a80edf6f8f421561d006bf84
parent 9a1188e33fe7f3226efae5437c7798dceffffb79

Embedded LDAP server LdapAuth3: support hashed passwords (sha1, sha-256)

Note that none of the currently supported hash are safe against
brute force attacks.

If ldapFilter property does not contain any occurrence of "${password}",
the user DN found via the filter expression will be authenticated
via a regular LDAP bind operation, using the entered password. In this
case, with embedded LDAP server, but probably also with others, hashed
passwords are supported and make sense.

Change-Id: I725832a2faa484623edcebeeeb727b23b6186de2

full/src/main/java/de/ids_mannheim/korap/authentication/LdapAuth3.java

diff --git a/full/src/main/java/de/ids_mannheim/korap/authentication/LdapAuth3.java b/full/src/main/java/de/ids_mannheim/korap/authentication/LdapAuth3.java
index bdfb2ad..9975fcc 100644
--- a/full/src/main/java/de/ids_mannheim/korap/authentication/LdapAuth3.java
+++ b/full/src/main/java/de/ids_mannheim/korap/authentication/LdapAuth3.java
@@ -83,16 +83,16 @@
             }
         }
 
-        SearchResult srchRes = search(login, password, ldapConfig);
+        SearchResult srchRes = search(login, password, ldapConfig, !ldapConfig.searchFilter.contains("${password}"));
 
         if (srchRes == null || srchRes.getEntryCount() == 0) {
             if (DEBUGLOG) System.out.printf("Finding '%s': no entry found!\n", login);
             return LDAP_AUTH_RNAUTH;
         }
+
         return LDAP_AUTH_ROK;
     }
-
-    public static SearchResult search(String login, String password, LDAPConfig ldapConfig) throws LDAPException {
+    public static SearchResult search(String login, String password, LDAPConfig ldapConfig, boolean bindWithFoundDN) throws LDAPException {
         Map<String, String> valuesMap = new HashMap<>();
         valuesMap.put("login", login);
         valuesMap.put("password", password);
@@ -174,16 +174,32 @@
 
             if (DEBUGLOG) System.out.printf("Finding '%s': %d entries.\n", login, srchRes.getEntryCount());
         } catch (LDAPSearchException e) {
-            System.err.printf("Error: login: Search for User failed: '%s'!\n", e);
+            System.err.printf("Error: Search for User failed: '%s'!\n", e);
             ldapTerminate(lc);
             return null;
         }
 
-        if (srchRes.getEntryCount() == 0) {
+        if (srchRes == null || srchRes.getEntryCount() == 0) {
             if (DEBUGLOG) System.out.printf("Finding '%s': no entry found!\n", login);
+            ldapTerminate(lc);
             return null;
         }
 
+        if (bindWithFoundDN) {
+            String matchedDN = srchRes.getSearchEntries().get(0).getDN();
+            if (DEBUGLOG) System.out.printf("Requested bind for found user %s' failed.\n", matchedDN);
+            try {
+                // bind to server:
+                if (DEBUGLOG) System.out.printf("Binding with '%s' ...\n", matchedDN);
+                lc.bind(matchedDN, password);
+                if (DEBUGLOG) System.out.print("Binding: OK.\n");
+            } catch (LDAPException e) {
+                System.err.printf("Error: login: Binding failed: '%s'!\n", e);
+                ldapTerminate(lc);
+                return null;
+            }
+        }
+
         ldapTerminate(lc);
         return srchRes;
     }
@@ -193,7 +209,7 @@
         LDAPConfig ldapConfig = new LDAPConfig(ldapConfigFilename);
         final String emailAttribute = ldapConfig.emailAttribute;
 
-        SearchResult searchResult = search(sUserDN, sUserPwd, ldapConfig);
+        SearchResult searchResult = search(sUserDN, sUserPwd, ldapConfig, false);
 
         if (searchResult == null) {
             return null;

full/src/main/java/de/ids_mannheim/korap/server/EmbeddedLdapServer.java

diff --git a/full/src/main/java/de/ids_mannheim/korap/server/EmbeddedLdapServer.java b/full/src/main/java/de/ids_mannheim/korap/server/EmbeddedLdapServer.java
index 76f6494..88dfe2e 100644
--- a/full/src/main/java/de/ids_mannheim/korap/server/EmbeddedLdapServer.java
+++ b/full/src/main/java/de/ids_mannheim/korap/server/EmbeddedLdapServer.java
@@ -1,9 +1,8 @@
 package de.ids_mannheim.korap.server;
 
-import com.unboundid.ldap.listener.InMemoryDirectoryServer;
-import com.unboundid.ldap.listener.InMemoryDirectoryServerConfig;
-import com.unboundid.ldap.listener.InMemoryListenerConfig;
+import com.unboundid.ldap.listener.*;
 import com.unboundid.ldap.sdk.LDAPException;
+import com.unboundid.util.CryptoHelper;
 import com.unboundid.util.ssl.SSLUtil;
 import com.unboundid.util.ssl.TrustAllTrustManager;
 import de.ids_mannheim.korap.authentication.LDAPConfig;
@@ -11,6 +10,7 @@
 import java.net.InetAddress;
 import java.net.UnknownHostException;
 import java.security.GeneralSecurityException;
+import java.security.MessageDigest;
 
 public class EmbeddedLdapServer {
     static InMemoryDirectoryServer server;
@@ -21,6 +21,9 @@
         }
 
         InMemoryDirectoryServerConfig config = new InMemoryDirectoryServerConfig(ldapConfig.searchBase);
+        final MessageDigest sha1Digest = CryptoHelper.getMessageDigest("SHA1");
+        final MessageDigest sha256Digest = CryptoHelper.getMessageDigest("SHA-256");
+        config.setPasswordEncoders(new ClearInMemoryPasswordEncoder("{CLEAR}", null), new ClearInMemoryPasswordEncoder("{HEX}", HexPasswordEncoderOutputFormatter.getLowercaseInstance()), new ClearInMemoryPasswordEncoder("{BASE64}", Base64PasswordEncoderOutputFormatter.getInstance()), new UnsaltedMessageDigestInMemoryPasswordEncoder("{SHA}", Base64PasswordEncoderOutputFormatter.getInstance(), sha1Digest), new UnsaltedMessageDigestInMemoryPasswordEncoder("{SHA256}", Base64PasswordEncoderOutputFormatter.getInstance(), sha256Digest));
         config.addAdditionalBindCredentials(ldapConfig.sLoginDN, ldapConfig.sPwd);
         config.setSchema(null);
 

full/src/main/resources/embedded-ldap-default.conf

diff --git a/full/src/main/resources/embedded-ldap-default.conf b/full/src/main/resources/embedded-ldap-default.conf
index becf6e0..00cd2a2 100644
--- a/full/src/main/resources/embedded-ldap-default.conf
+++ b/full/src/main/resources/embedded-ldap-default.conf
@@ -5,6 +5,6 @@
 searchBase=dc=example,dc=com
 sLoginDN=cn=admin,dc=example,dc=com
 pwd=admin
-searchFilter=(&(uid=${login})(userPassword=${password}))
+searchFilter=(uid=${login})
 useEmbeddedServer=true
 ldifFile=src/main/resources/korap-users.ldif

full/src/main/resources/korap-users.ldif

diff --git a/full/src/main/resources/korap-users.ldif b/full/src/main/resources/korap-users.ldif
index 4a3e69c..8760df9 100644
--- a/full/src/main/resources/korap-users.ldif
+++ b/full/src/main/resources/korap-users.ldif
@@ -12,16 +12,35 @@
 cn: user
 uid: user
 mail: user@example.com
-userPassword: cGFzc3dvcmQ=
+userPassword: {BASE64}cGFzc3dvcmQ=
 
 dn: uid=user1,ou=people,dc=example,dc=com
 cn: user1
 uid: user1
 mail: user1@example.com
-userPassword: password1
+userPassword: {CLEAR}password1
 
 dn: uid=user2,ou=people,dc=example,dc=com
 cn: user2
 uid: user2
 mail: user2@example.com
 userPassword: password2
+
+dn: uid=user3,ou=people,dc=example,dc=com
+cn: user3
+uid: user3
+mail: user3@example.com
+userPassword: {SHA}ERnP037iRzV+A0oI2ETuol9v0g8=
+
+dn: uid=user4,ou=people,dc=example,dc=com
+cn: user4
+uid: user4
+mail: user4@example.com
+userPassword: {SHA256}uXhzpA9zq+3Y1oWnzV5fheSpz7g+rCaIZkCggThQEis=
+
+dn: uid=user5,ou=people,dc=example,dc=com
+cn: user5
+uid: user5
+mail: user5@example.com
+userPassword: {PBKDF2-SHA256}26PFrg++/nI8YOiHum5MyAMp0HdqKMNOcLpY5RuO2bY=
+

full/src/test/java/de/ids_mannheim/korap/server/EmbeddedLdapServerTest.java

diff --git a/full/src/test/java/de/ids_mannheim/korap/server/EmbeddedLdapServerTest.java b/full/src/test/java/de/ids_mannheim/korap/server/EmbeddedLdapServerTest.java
index 7783274..196451e 100644
--- a/full/src/test/java/de/ids_mannheim/korap/server/EmbeddedLdapServerTest.java
+++ b/full/src/test/java/de/ids_mannheim/korap/server/EmbeddedLdapServerTest.java
@@ -2,13 +2,17 @@
 
 import com.unboundid.ldap.sdk.LDAPException;
 import com.unboundid.util.Base64;
-import com.unboundid.util.StaticUtils;
 import de.ids_mannheim.korap.authentication.LdapAuth3;
 import org.junit.AfterClass;
 import org.junit.Test;
 
+import javax.crypto.SecretKeyFactory;
+import javax.crypto.spec.PBEKeySpec;
 import java.net.UnknownHostException;
 import java.security.GeneralSecurityException;
+import java.security.NoSuchAlgorithmException;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.KeySpec;
 
 import static de.ids_mannheim.korap.authentication.LdapAuth3.LDAP_AUTH_RNAUTH;
 import static de.ids_mannheim.korap.authentication.LdapAuth3.LDAP_AUTH_ROK;
@@ -16,7 +20,7 @@
 
 public class EmbeddedLdapServerTest {
 
-    public static final String EMBEDDED_LDAP_DEFAULT_CONF = "src/main/resources/embedded-ldap-default.conf";
+    public static final String TEST_EMBEDDED_LDAP_CONF = "src/test/resources/test-embedded-ldap.conf";
 
     @AfterClass
     public static void shutdownEmbeddedLdapServer() {
@@ -25,36 +29,61 @@
 
     @Test
     public void embeddedServerStartsAutomaticallyAndUsersCanLogin() throws LDAPException {
-        final byte[] passwordBytes = StaticUtils.getBytes("password");
-        String pw = Base64.encode(passwordBytes);
-
-        assertEquals(LDAP_AUTH_ROK, LdapAuth3.login("user", pw, EMBEDDED_LDAP_DEFAULT_CONF));
+        assertEquals(LDAP_AUTH_ROK, LdapAuth3.login("user", "password", TEST_EMBEDDED_LDAP_CONF));
     }
 
     @Test
-    public void usersWithUnencodedPasswowrdCanLogin() throws LDAPException {
-        assertEquals(LDAP_AUTH_ROK, LdapAuth3.login("user1", "password1", EMBEDDED_LDAP_DEFAULT_CONF));
+    public void usersWithClearPasswordCanLogin() throws LDAPException {
+        assertEquals(LDAP_AUTH_ROK, LdapAuth3.login("user1", "password1", TEST_EMBEDDED_LDAP_CONF));
+    }
+
+    @Test
+    public void usersWithSHA1PasswordCanLogin() throws LDAPException, NoSuchAlgorithmException {
+        assertEquals(LDAP_AUTH_ROK, LdapAuth3.login("user3", "password3", TEST_EMBEDDED_LDAP_CONF));
+    }
+
+    @Test
+    public void usersWithSHA256PasswordCanLogin() throws LDAPException, NoSuchAlgorithmException, InvalidKeySpecException {
+        assertEquals(LDAP_AUTH_ROK, LdapAuth3.login("user4", "password4", TEST_EMBEDDED_LDAP_CONF));
     }
 
     @Test
     public void asteriskPasswordsFail() throws LDAPException {
-        assertEquals(LDAP_AUTH_RNAUTH, LdapAuth3.login("user1", "*", EMBEDDED_LDAP_DEFAULT_CONF));
+        assertEquals(LDAP_AUTH_RNAUTH, LdapAuth3.login("user1", "*", TEST_EMBEDDED_LDAP_CONF));
+    }
+
+    @Test
+    public void loginWithPreencodedPBKDF2Password() throws LDAPException, NoSuchAlgorithmException, InvalidKeySpecException {
+        byte[] salt = new byte[32];
+        KeySpec spec = new PBEKeySpec("password5".toCharArray(), salt, 65536, 256);
+        SecretKeyFactory f = SecretKeyFactory.getInstance("PBKDF2withHmacSHA256");
+        byte[] hash = f.generateSecret(spec).getEncoded();
+
+        final String pbkdf2sha256Password = "{PBKDF2-SHA256}" + Base64.encode(hash);
+        System.out.println(pbkdf2sha256Password);
+        assertEquals(LDAP_AUTH_ROK, LdapAuth3.login("user5", pbkdf2sha256Password, TEST_EMBEDDED_LDAP_CONF));
+    }
+
+    @Test
+    public void loginWithUnEncodedPBKDF2PasswordFails() throws LDAPException, NoSuchAlgorithmException, InvalidKeySpecException {
+        assertEquals(LDAP_AUTH_RNAUTH, LdapAuth3.login("user5", "password5", TEST_EMBEDDED_LDAP_CONF));
     }
 
     @Test
     public void unauthorizedUsersAreNotAllowed() throws LDAPException {
-        assertEquals(LDAP_AUTH_RNAUTH, LdapAuth3.login("yuser", "password", EMBEDDED_LDAP_DEFAULT_CONF));
+        assertEquals(LDAP_AUTH_RNAUTH, LdapAuth3.login("yuser", "password", TEST_EMBEDDED_LDAP_CONF));
     }
 
     @Test
     public void gettingMailForUser() throws LDAPException, UnknownHostException, GeneralSecurityException {
-        EmbeddedLdapServer.startIfNotRunning(EMBEDDED_LDAP_DEFAULT_CONF);
-        assertEquals("user2@example.com", LdapAuth3.getEmail("user2", EMBEDDED_LDAP_DEFAULT_CONF));
+        EmbeddedLdapServer.startIfNotRunning(TEST_EMBEDDED_LDAP_CONF);
+        assertEquals("user2@example.com", LdapAuth3.getEmail("user2", TEST_EMBEDDED_LDAP_CONF));
     }
 
     @Test
-    public void gettingMailForUnknownUserIsNull() throws LDAPException, UnknownHostException, GeneralSecurityException {
-        EmbeddedLdapServer.startIfNotRunning(EMBEDDED_LDAP_DEFAULT_CONF);
-        assertEquals(null, LdapAuth3.getEmail("user1000", EMBEDDED_LDAP_DEFAULT_CONF));
+    public void gettingMailFoRNAUTHUserIsNull() throws LDAPException, UnknownHostException, GeneralSecurityException {
+        EmbeddedLdapServer.startIfNotRunning(TEST_EMBEDDED_LDAP_CONF);
+        assertEquals(null, LdapAuth3.getEmail("user1000", TEST_EMBEDDED_LDAP_CONF));
     }
+
 }

full/src/test/resources/test-embedded-ldap-users.ldif

diff --git a/full/src/test/resources/test-embedded-ldap-users.ldif b/full/src/test/resources/test-embedded-ldap-users.ldif
new file mode 100644
index 0000000..8760df9
--- /dev/null
+++ b/full/src/test/resources/test-embedded-ldap-users.ldif
@@ -0,0 +1,46 @@
+dn: dc=example,dc=com
+dc: example
+ou: people
+objectClass: dcObject
+objectClass: organizationalUnit
+
+dn: ou=people,dc=example,dc=com
+ou: people
+objectClass: organizationalUnit
+
+dn: uid=user,ou=people,dc=example,dc=com
+cn: user
+uid: user
+mail: user@example.com
+userPassword: {BASE64}cGFzc3dvcmQ=
+
+dn: uid=user1,ou=people,dc=example,dc=com
+cn: user1
+uid: user1
+mail: user1@example.com
+userPassword: {CLEAR}password1
+
+dn: uid=user2,ou=people,dc=example,dc=com
+cn: user2
+uid: user2
+mail: user2@example.com
+userPassword: password2
+
+dn: uid=user3,ou=people,dc=example,dc=com
+cn: user3
+uid: user3
+mail: user3@example.com
+userPassword: {SHA}ERnP037iRzV+A0oI2ETuol9v0g8=
+
+dn: uid=user4,ou=people,dc=example,dc=com
+cn: user4
+uid: user4
+mail: user4@example.com
+userPassword: {SHA256}uXhzpA9zq+3Y1oWnzV5fheSpz7g+rCaIZkCggThQEis=
+
+dn: uid=user5,ou=people,dc=example,dc=com
+cn: user5
+uid: user5
+mail: user5@example.com
+userPassword: {PBKDF2-SHA256}26PFrg++/nI8YOiHum5MyAMp0HdqKMNOcLpY5RuO2bY=
+

full/src/test/resources/test-embedded-ldap.conf

diff --git a/full/src/test/resources/test-embedded-ldap.conf b/full/src/test/resources/test-embedded-ldap.conf
new file mode 100644
index 0000000..fb9e079
--- /dev/null
+++ b/full/src/test/resources/test-embedded-ldap.conf
@@ -0,0 +1,10 @@
+# default and sample configuration for an automatically starting
+# embedded LDAP server
+host=localhost
+port=3267
+searchBase=dc=example,dc=com
+sLoginDN=cn=admin,dc=example,dc=com
+pwd=admin
+searchFilter=(uid=${login})
+useEmbeddedServer=true
+ldifFile=src/test/resources/test-embedded-ldap-users.ldif