commit 30925d8af8acfd3586446cbae9da11130e844884
author Marc Kupietz <kupietz@ids-mannheim.de> Fri May 06 15:33:52 2022 +0200
committer Marc Kupietz <kupietz@ids-mannheim.de> Sat May 14 15:56:40 2022 +0200
tree 20119802fc7b9cf5a80edf6f8f421561d006bf84
parent 9a1188e33fe7f3226efae5437c7798dceffffb79

Embedded LDAP server LdapAuth3: support hashed passwords (sha1, sha-256)

Note that none of the currently supported hash are safe against
brute force attacks.

If ldapFilter property does not contain any occurrence of "${password}",
the user DN found via the filter expression will be authenticated
via a regular LDAP bind operation, using the entered password. In this
case, with embedded LDAP server, but probably also with others, hashed
passwords are supported and make sense.

Change-Id: I725832a2faa484623edcebeeeb727b23b6186de2

full/src/main/resources/embedded-ldap-default.conf

diff --git a/full/src/main/resources/embedded-ldap-default.conf b/full/src/main/resources/embedded-ldap-default.conf
index becf6e0..00cd2a2 100644
--- a/full/src/main/resources/embedded-ldap-default.conf
+++ b/full/src/main/resources/embedded-ldap-default.conf
@@ -5,6 +5,6 @@
 searchBase=dc=example,dc=com
 sLoginDN=cn=admin,dc=example,dc=com
 pwd=admin
-searchFilter=(&(uid=${login})(userPassword=${password}))
+searchFilter=(uid=${login})
 useEmbeddedServer=true
 ldifFile=src/main/resources/korap-users.ldif

full/src/main/resources/korap-users.ldif

diff --git a/full/src/main/resources/korap-users.ldif b/full/src/main/resources/korap-users.ldif
index 4a3e69c..8760df9 100644
--- a/full/src/main/resources/korap-users.ldif
+++ b/full/src/main/resources/korap-users.ldif
@@ -12,16 +12,35 @@
 cn: user
 uid: user
 mail: user@example.com
-userPassword: cGFzc3dvcmQ=
+userPassword: {BASE64}cGFzc3dvcmQ=
 
 dn: uid=user1,ou=people,dc=example,dc=com
 cn: user1
 uid: user1
 mail: user1@example.com
-userPassword: password1
+userPassword: {CLEAR}password1
 
 dn: uid=user2,ou=people,dc=example,dc=com
 cn: user2
 uid: user2
 mail: user2@example.com
 userPassword: password2
+
+dn: uid=user3,ou=people,dc=example,dc=com
+cn: user3
+uid: user3
+mail: user3@example.com
+userPassword: {SHA}ERnP037iRzV+A0oI2ETuol9v0g8=
+
+dn: uid=user4,ou=people,dc=example,dc=com
+cn: user4
+uid: user4
+mail: user4@example.com
+userPassword: {SHA256}uXhzpA9zq+3Y1oWnzV5fheSpz7g+rCaIZkCggThQEis=
+
+dn: uid=user5,ou=people,dc=example,dc=com
+cn: user5
+uid: user5
+mail: user5@example.com
+userPassword: {PBKDF2-SHA256}26PFrg++/nI8YOiHum5MyAMp0HdqKMNOcLpY5RuO2bY=
+