Announcement Announcement Module
Collapse
No announcement yet.
Decrypt LDAP Credentials from Context Configuration file Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Decrypt LDAP Credentials from Context Configuration file

    Hi Folks,
    My company doesn't allows us to put ldap credentials in clear text password in in spring context configuration file. Since we need to put the encrypted password, how can I control the LDAP Context to decrypt the password before doing any search operation. This is how my config file will look like:-
    <beans>
    <bean id="ldapcontext" class="org.springframework.ldap.core.support.LdapC ontextSource">
    <property name="url" value="ldap://host.arcds.com:XXXX" />
    <property name="base" value="dc=mycorp,dc=com" />
    <property name="userName" value="cn=Directory Manager" />
    <property name="password" value="encrypted password" />
    <property name="pooled" value="true" />
    </bean>
    <bean id="ldapTemplate" class="org.springframework.ldap.core.LdapTemplate" >
    <constructor-arg ref="ldapcontext" />
    </bean>
    <bean id="personDao" class="com.mycorp.ldap.dao.personDaoImpl">
    <property name="ldapTemplate" ref="ldapTemplate" />
    </bean>
    </beans>

    Since we are injecting the ldapcontext in our bean, how do I make my password decrypt before ldaptemplate binds with the LDAP for any search or CRUD operation.

    Please help.
    Thanks
    Amit

  • #2
    anyone who can answer this? I don't think it should be that hard. I'm just new to whole spring concept.

    Comment


    • #3
      What I would recommend is a custom AuthenticationSource implementation that performs the conversion. ContextSource asks an AuthenticationSource for the principal and credentials each time they are needed (i.e. before creating an authenticated Context). Look at AbstractContextSource.SimpleAuthenticationSource and AcegiAuthenticationSource for examples of what an AuthenticationSource implementation may look like.

      Another way of doing it would be to subclass LdapContextSource and override setPassword() in that class to decrypt the password and call super.setPassword() with the decrypted value.

      Comment


      • #4
        Originally posted by rasky View Post
        What I would recommend is a custom AuthenticationSource implementation that performs the conversion. ContextSource asks an AuthenticationSource for the principal and credentials each time they are needed (i.e. before creating an authenticated Context). Look at AbstractContextSource.SimpleAuthenticationSource and AcegiAuthenticationSource for examples of what an AuthenticationSource implementation may look like.

        Another way of doing it would be to subclass LdapContextSource and override setPassword() in that class to decrypt the password and call super.setPassword() with the decrypted value.
        Thanks. I would try the second one. That's just easy.

        Comment


        • #5
          Encrpyted or hashed password?

          Originally posted by makymyspring View Post
          Hi Folks,
          My company doesn't allows us to put ldap credentials in clear text password in in spring context configuration file. Since we need to put the encrypted password, how can I control the LDAP Context to decrypt the password before doing any search operation. This is how my config file will look like:-
          If your password is really encrypted, it is possible to decrypt. If it is hashed, then no chance. You need an alternative approach. I'm asking, because about every password system I know about uses hashing.

          Comment


          • #6
            Originally posted by gregturn View Post
            If your password is really encrypted, it is possible to decrypt. If it is hashed, then no chance. You need an alternative approach. I'm asking, because about every password system I know about uses hashing.
            Thanks for responding. This is not about the user's credentials (or password) stored in LDAP, which is generally hasked. This is actually about the security principal that you use to connect to the LDAP. Our organization has a policy that no such credentials should be kept in plain text and has to be encrypted. So, now I'm going to have the encrypted password in my bean configuration file, which I then have to decrypt it using some key and then use the decrypted password to connect with LDAP.

            I think easiest way is to just subclass LDAPContextSource. If you have any other better idea, please let me know.

            Comment


            • #7
              have you tried Jasypt?
              http://www.jasypt.org/

              Comment

              Working...
              X