Embedded LDAP server LdapAuth3: support hashed passwords (sha1, sha-256)
Note that none of the currently supported hash are safe against
brute force attacks.
If ldapFilter property does not contain any occurrence of "${password}",
the user DN found via the filter expression will be authenticated
via a regular LDAP bind operation, using the entered password. In this
case, with embedded LDAP server, but probably also with others, hashed
passwords are supported and make sense.
Change-Id: I725832a2faa484623edcebeeeb727b23b6186de2
diff --git a/full/src/test/java/de/ids_mannheim/korap/server/EmbeddedLdapServerTest.java b/full/src/test/java/de/ids_mannheim/korap/server/EmbeddedLdapServerTest.java
index 7783274..196451e 100644
--- a/full/src/test/java/de/ids_mannheim/korap/server/EmbeddedLdapServerTest.java
+++ b/full/src/test/java/de/ids_mannheim/korap/server/EmbeddedLdapServerTest.java
@@ -2,13 +2,17 @@
import com.unboundid.ldap.sdk.LDAPException;
import com.unboundid.util.Base64;
-import com.unboundid.util.StaticUtils;
import de.ids_mannheim.korap.authentication.LdapAuth3;
import org.junit.AfterClass;
import org.junit.Test;
+import javax.crypto.SecretKeyFactory;
+import javax.crypto.spec.PBEKeySpec;
import java.net.UnknownHostException;
import java.security.GeneralSecurityException;
+import java.security.NoSuchAlgorithmException;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.KeySpec;
import static de.ids_mannheim.korap.authentication.LdapAuth3.LDAP_AUTH_RNAUTH;
import static de.ids_mannheim.korap.authentication.LdapAuth3.LDAP_AUTH_ROK;
@@ -16,7 +20,7 @@
public class EmbeddedLdapServerTest {
- public static final String EMBEDDED_LDAP_DEFAULT_CONF = "src/main/resources/embedded-ldap-default.conf";
+ public static final String TEST_EMBEDDED_LDAP_CONF = "src/test/resources/test-embedded-ldap.conf";
@AfterClass
public static void shutdownEmbeddedLdapServer() {
@@ -25,36 +29,61 @@
@Test
public void embeddedServerStartsAutomaticallyAndUsersCanLogin() throws LDAPException {
- final byte[] passwordBytes = StaticUtils.getBytes("password");
- String pw = Base64.encode(passwordBytes);
-
- assertEquals(LDAP_AUTH_ROK, LdapAuth3.login("user", pw, EMBEDDED_LDAP_DEFAULT_CONF));
+ assertEquals(LDAP_AUTH_ROK, LdapAuth3.login("user", "password", TEST_EMBEDDED_LDAP_CONF));
}
@Test
- public void usersWithUnencodedPasswowrdCanLogin() throws LDAPException {
- assertEquals(LDAP_AUTH_ROK, LdapAuth3.login("user1", "password1", EMBEDDED_LDAP_DEFAULT_CONF));
+ public void usersWithClearPasswordCanLogin() throws LDAPException {
+ assertEquals(LDAP_AUTH_ROK, LdapAuth3.login("user1", "password1", TEST_EMBEDDED_LDAP_CONF));
+ }
+
+ @Test
+ public void usersWithSHA1PasswordCanLogin() throws LDAPException, NoSuchAlgorithmException {
+ assertEquals(LDAP_AUTH_ROK, LdapAuth3.login("user3", "password3", TEST_EMBEDDED_LDAP_CONF));
+ }
+
+ @Test
+ public void usersWithSHA256PasswordCanLogin() throws LDAPException, NoSuchAlgorithmException, InvalidKeySpecException {
+ assertEquals(LDAP_AUTH_ROK, LdapAuth3.login("user4", "password4", TEST_EMBEDDED_LDAP_CONF));
}
@Test
public void asteriskPasswordsFail() throws LDAPException {
- assertEquals(LDAP_AUTH_RNAUTH, LdapAuth3.login("user1", "*", EMBEDDED_LDAP_DEFAULT_CONF));
+ assertEquals(LDAP_AUTH_RNAUTH, LdapAuth3.login("user1", "*", TEST_EMBEDDED_LDAP_CONF));
+ }
+
+ @Test
+ public void loginWithPreencodedPBKDF2Password() throws LDAPException, NoSuchAlgorithmException, InvalidKeySpecException {
+ byte[] salt = new byte[32];
+ KeySpec spec = new PBEKeySpec("password5".toCharArray(), salt, 65536, 256);
+ SecretKeyFactory f = SecretKeyFactory.getInstance("PBKDF2withHmacSHA256");
+ byte[] hash = f.generateSecret(spec).getEncoded();
+
+ final String pbkdf2sha256Password = "{PBKDF2-SHA256}" + Base64.encode(hash);
+ System.out.println(pbkdf2sha256Password);
+ assertEquals(LDAP_AUTH_ROK, LdapAuth3.login("user5", pbkdf2sha256Password, TEST_EMBEDDED_LDAP_CONF));
+ }
+
+ @Test
+ public void loginWithUnEncodedPBKDF2PasswordFails() throws LDAPException, NoSuchAlgorithmException, InvalidKeySpecException {
+ assertEquals(LDAP_AUTH_RNAUTH, LdapAuth3.login("user5", "password5", TEST_EMBEDDED_LDAP_CONF));
}
@Test
public void unauthorizedUsersAreNotAllowed() throws LDAPException {
- assertEquals(LDAP_AUTH_RNAUTH, LdapAuth3.login("yuser", "password", EMBEDDED_LDAP_DEFAULT_CONF));
+ assertEquals(LDAP_AUTH_RNAUTH, LdapAuth3.login("yuser", "password", TEST_EMBEDDED_LDAP_CONF));
}
@Test
public void gettingMailForUser() throws LDAPException, UnknownHostException, GeneralSecurityException {
- EmbeddedLdapServer.startIfNotRunning(EMBEDDED_LDAP_DEFAULT_CONF);
- assertEquals("user2@example.com", LdapAuth3.getEmail("user2", EMBEDDED_LDAP_DEFAULT_CONF));
+ EmbeddedLdapServer.startIfNotRunning(TEST_EMBEDDED_LDAP_CONF);
+ assertEquals("user2@example.com", LdapAuth3.getEmail("user2", TEST_EMBEDDED_LDAP_CONF));
}
@Test
- public void gettingMailForUnknownUserIsNull() throws LDAPException, UnknownHostException, GeneralSecurityException {
- EmbeddedLdapServer.startIfNotRunning(EMBEDDED_LDAP_DEFAULT_CONF);
- assertEquals(null, LdapAuth3.getEmail("user1000", EMBEDDED_LDAP_DEFAULT_CONF));
+ public void gettingMailFoRNAUTHUserIsNull() throws LDAPException, UnknownHostException, GeneralSecurityException {
+ EmbeddedLdapServer.startIfNotRunning(TEST_EMBEDDED_LDAP_CONF);
+ assertEquals(null, LdapAuth3.getEmail("user1000", TEST_EMBEDDED_LDAP_CONF));
}
+
}
diff --git a/full/src/test/resources/test-embedded-ldap-users.ldif b/full/src/test/resources/test-embedded-ldap-users.ldif
new file mode 100644
index 0000000..8760df9
--- /dev/null
+++ b/full/src/test/resources/test-embedded-ldap-users.ldif
@@ -0,0 +1,46 @@
+dn: dc=example,dc=com
+dc: example
+ou: people
+objectClass: dcObject
+objectClass: organizationalUnit
+
+dn: ou=people,dc=example,dc=com
+ou: people
+objectClass: organizationalUnit
+
+dn: uid=user,ou=people,dc=example,dc=com
+cn: user
+uid: user
+mail: user@example.com
+userPassword: {BASE64}cGFzc3dvcmQ=
+
+dn: uid=user1,ou=people,dc=example,dc=com
+cn: user1
+uid: user1
+mail: user1@example.com
+userPassword: {CLEAR}password1
+
+dn: uid=user2,ou=people,dc=example,dc=com
+cn: user2
+uid: user2
+mail: user2@example.com
+userPassword: password2
+
+dn: uid=user3,ou=people,dc=example,dc=com
+cn: user3
+uid: user3
+mail: user3@example.com
+userPassword: {SHA}ERnP037iRzV+A0oI2ETuol9v0g8=
+
+dn: uid=user4,ou=people,dc=example,dc=com
+cn: user4
+uid: user4
+mail: user4@example.com
+userPassword: {SHA256}uXhzpA9zq+3Y1oWnzV5fheSpz7g+rCaIZkCggThQEis=
+
+dn: uid=user5,ou=people,dc=example,dc=com
+cn: user5
+uid: user5
+mail: user5@example.com
+userPassword: {PBKDF2-SHA256}26PFrg++/nI8YOiHum5MyAMp0HdqKMNOcLpY5RuO2bY=
+
diff --git a/full/src/test/resources/test-embedded-ldap.conf b/full/src/test/resources/test-embedded-ldap.conf
new file mode 100644
index 0000000..fb9e079
--- /dev/null
+++ b/full/src/test/resources/test-embedded-ldap.conf
@@ -0,0 +1,10 @@
+# default and sample configuration for an automatically starting
+# embedded LDAP server
+host=localhost
+port=3267
+searchBase=dc=example,dc=com
+sLoginDN=cn=admin,dc=example,dc=com
+pwd=admin
+searchFilter=(uid=${login})
+useEmbeddedServer=true
+ldifFile=src/test/resources/test-embedded-ldap-users.ldif