OpenDJ password policy / hash algorithm

By: Simon Devlin user 08 Jul 2016 at 8:49 a.m. CDT

8 Responses
Simon Devlin gravatar
Hi folks, Just installed Gluu and pretty happy with it so far. Far easier than shibboleth on it's own :) I suspect we'll end up looking at the Docker version. My scenario requires passwords to be hashed using PBKDF2 rather than the Salted SHA-512 used by Gluu. Is it possible to updated the OpenDJ password policy to PBKDF2 via dsconfig, or is Gluu hasing the passwords itself upon user creation (I'm inferring this from the line in setup.log allowing pre-encoded passwords) 09:33:16 07/07/16 Running: /bin/su ldap -c cd /opt/opendj/bin ; /opt/opendj/bin/dsconfig --trustAll --no-prompt --hostname localhost --port 4444 --bindDN "cn=directory manager" --bindPasswordFile /home/ldap/.pw set-password-policy-prop --policy-name "Default Password Policy" --set **allow-pre-encoded-passwords:true** Many thanks :-) Simon
Rhel72
closed

Answers

By Aliaksandr Samuseu staff 08 Jul 2016 at 9:04 a.m. CDT

Copy
Aliaksandr Samuseu gravatar
Hi, Simon. That's most likely will depend on what passwords you are talking about. I can assure you that passwords of user entries created in Gluu's own LDAP directory (like, from web UI, or imported from Excel spreadsheet) are being encoded by OpenDJ itself. That's because, if you'll change them by directly modifying entry's "password" attribute in the directory, you will still be able to log in with them (by default Gluu uses LDAP bind operation to prove that credentials provided at login screen are valid) But it's different for OIDC clients' credentials, and for credentials Gluu uses to connect to its own and backend LDAP directories, for example. Those are being encrypted with a key known to Gluu before they are placed in config files or in config entries within LDAP directory.

By Aliaksandr Samuseu staff 08 Jul 2016 at 9:07 a.m. CDT

Copy
Aliaksandr Samuseu gravatar
> But it's different for OIDC clients' credentials, and for credentials Gluu uses to connect to its own and backend LDAP directories, for example. Elaborating a bit on this: I mean when it connects to its own LDAP directory to load configuration or get user's attributes, or when Cache Refresh connects to a backend directory to fetch user entries from there, i.e. for different service-related needs.

By Simon Devlin user 08 Jul 2016 at 9:42 a.m. CDT

Copy
Simon Devlin gravatar
Sorry, I should have been more explicit and thanks for quick reply. I'm using the SAML IDP function, with user accounts stored on the internal OpenDJ instance. It is these passwords (created directly via the Gluu GUI or spreadsheet import) that I'm referring to. It sounds as if changing the password policy to pbkdf2 is quite possible. I'll give it a try with fingers crossed :-) Thanks Aliaksandr

By Aliaksandr Samuseu staff 08 Jul 2016 at 9:48 a.m. CDT

Copy
Aliaksandr Samuseu gravatar
In authentication during SAML flows Gluu also uses its standard authentication engine, so what I said before still holds. Should work fine.

By Simon Devlin user 08 Jul 2016 at 9:55 a.m. CDT

Copy
Simon Devlin gravatar
Thanks very much. I'll give it a try (after backing up).

By Aliaksandr Samuseu staff 08 Jul 2016 at 10 a.m. CDT

Copy
Aliaksandr Samuseu gravatar
I'm not sure about default admin's pass though (user "cn=director manager"), which Gluu uses to access its directory for service needs. Its password is already encoded with the hash function that was in effect during setup. Will Gluu be able to access directory with it after you'll change the default hash function? But as you have back up it's not a big problem.

By Simon Devlin user 26 Jul 2016 at 3:56 p.m. CDT

Copy
Simon Devlin gravatar
Hi I can confirm that this works for "user" accounts. After installation, but before creating users I run the opendj dsconfig utility and update the "Default password policy" to PBKDF2. Perhaps as a future enhancement it would be nice to externalize a few of the dsconfig properties into an external config file rather than setup.py (such as algorithm, password complexity). Most people don't care but for those that do it would be helpful and much of the ldap setup appears to be driven from external files anyway. Anyway, thanks for the feedback. I'm pleased it worked.

By Aliaksandr Samuseu staff 26 Jul 2016 at 4:12 p.m. CDT

Copy
Aliaksandr Samuseu gravatar
Thanks for confirmation, Simon. I'm not sure whether we need to add more options to `setup.py` script (may be just some hint in FAQ section?), but if you think it's really would be useful for other users, please feel free to leave a feature request/proposal with your considerations either here on support boards, or [here on github](https://github.com/GluuFederation/community-edition-setup/issues)

Post an answer