This topic has 12 replies, 5 voices, and was last updated 4 years, 9 months ago by [email protected].
-
AuthorPosts
-
May 15, 2015 at 6:08 pm #4176
Juan Carlos
ParticipantI want to create a new password storage scheme with a new algorithm I created to store passwords, I’m not using default password algorithms.
What is the best way to get this? I know in Sun Java Directory Server it was done with some sort of plugin when a new algorithm was implemented but I just want to know what is the best recommendation with OpenDJ 2.6.0.
Thank you
May 17, 2015 at 9:03 pm #4179Ludo
ModeratorIn OpenDJ, all password storage scheme are implementing an interface, a pretty simple one.
You might want to look at OpenDJ server code, the extensions folder and copy one of the scheme as a base for yours.
Password Storage Scheme can have configuration and need to be declared in the configuration, so a custom storage scheme will need it configuration description in xml, to automatically generate the dsconfig client and server code.December 16, 2016 at 4:14 pm #14855iceleftd
ParticipantI too have a need for a custom password storage scheme. I have written code that extends
PasswordStorageScheme
but I cannot find any documentation on how to install and configure it. Attempts to use dsconfig create-password-storage-scheme to configure it have not been successful.Does this documentation exist? If not, can you provide that information to the masses?
December 19, 2016 at 12:35 pm #14888Ludo
ModeratorI’m afraid this specific part has not been documented.
But a custom password storage scheme should be installed like any extension (and this is documented in the plugin example delivered with OpenDJ).December 19, 2016 at 8:00 pm #14907iceleftd
ParticipantI do not find the existence of the plugin sample source to be useful in solving my problem. For starters, you can’t build the example as it references things that are not in your repository.
Furthermore, it is entirely unclear how a “plugin” becomes available as a custom password scheme.
ExamplePlugin
extendsDirectoryServerPlugin
and handles the STARTUP plugin type. None of the defined plugin types appear to be related to password processing. Also, none of your predefined password storage schemes are implemented as plugins.December 20, 2016 at 10:21 am #14922Ludo
ModeratorSorry if I wasn’t clear. I didn’t say that custom password storage schemes were “plugin”. I said that you install them the same way as a plugin, i.e place the jar file and dependencies in the
lib/extensions/
directory.
Also, we’ve changed a lot how to build extensions in between 2.6.x and 3.x versions. With 2.6, the build is based on Ant and extensions should be built along with the remaining of the server’s code.
It’s much simpler starting with version 3.5 and a Maven build. But it’s still not documented (it should be with the next major release).December 20, 2016 at 8:55 pm #14986iceleftd
ParticipantThank you Ludo for your assistance. Yesterday through experimentation I was able to add my custom scheme to the server as a extension, albeit with an error. My current hurdle is that a password scheme must reference a configuration class:
public class MyStorageScheme extends PasswordStorageScheme<MyStorageSchemeCfg>
I don’t need any configurable parameters (other than the standard enabled and java-class), and I don’t need localization like you do in your built-in scheme configurations, so this should be easy. I’ve tried reusing an existing config class and using my own, but I can’t seem to get the server to pass the right configuration class to my
-type custom
scheme.December 21, 2016 at 8:23 pm #15021Ludo
ModeratorAs far as I know,
custom
is not a valid type for a password storage scheme (at least not with dsconfig).December 21, 2016 at 9:10 pm #15023iceleftd
ParticipantI only knew of the custom type because of the dsconfig create-password-storage-scheme help message:
-t, –type {type}
The type of Password Storage Scheme which should be created. The value for
TYPE can be one of: aes | base64 | bcrypt | blowfish | clear | crypt |
custom | md5 | pbkdf2 | pkcs5s2 | rc4 | salted-md5 | salted-sha1 |
salted-sha256 | salted-sha384 | salted-sha512 | sha1 | triple-desI was able, however, to finally accomplish what I wanted to do. I took longer than I should have because I was sidetracked by some of the things I tried. Here are the steps that worked for me:
1 – Write a custom storage scheme that uses an existing password storage config (salted-sha1 in this case). The class declaration was
public class MyStorageScheme extends PasswordStorageScheme<SaltedSHA1PasswordStorageSchemeCfg>
2 – Place a JAR containing my scheme (and other dependency JARS) in OpenDJ’slib/extensions
directory
3 – Install my password storage scheme with a command like this:dsconfig –bindPassword ******* -D “cn=Directory Manager” –trustAll -h localhost -p 4444 create-password-storage-scheme –scheme-name MyScheme –type salted-sha1 –set enabled:true –set java-class:com.something.MyStorageScheme
I didn’t solve the issue of how to use my own custom configuration class but that wasn’t necessary in this example. Thanks for your help Ludo.
January 24, 2017 at 10:40 pm #15508[email protected]
ParticipantI found this post very helpful. I need to do something similar. I’m a little confused about where to find the required jars to build my extension. Ludo, you mention this can be done through Maven for newer versions of OpenDJ. Is this the repository we would use to find the dependencies: https://maven.forgerock.org/repo ?
If there is any draft documentation about building the custom password scheme, I would appreciate it. We’re looking to extend the SaltedSHA256PasswordStorageSchemeCfg for importing credentials from an outside system that used a slightly different hashing scheme.
Thanks,
AndrewJanuary 27, 2017 at 8:49 am #15555Ludo
Moderator@andrew-schoewemsci-com If you are a customer, you should find the information about the repository with the appropriate dependencies in the Knowledge Base on BackStage.
I’ve started documenting how to build a custom password scheme (as a side project), there is no ETA yet, but it’s very similar to writing a plugin, except that it extends the PasswordStorageScheme interface.October 4, 2017 at 5:17 pm #19062chris.hawtrey
Participant@ludo: Has this documentation been completed. We are a new user of ForgeRock and will be transitioning our users from an in-house written solution to ForgeRock. With this we need to maintain our algorithm and I would greatly appreciate seeing documentation on how this is done.
October 4, 2017 at 8:01 pm #19063[email protected]
ParticipantHere is the article on the different password schemes…. https://backstage.forgerock.com/knowledge/kb/article/a44757687
But that’s different than the process/dependencies needed to build your own password scheme plugin.
-
This reply was modified 4 years, 9 months ago by
[email protected].
-
This reply was modified 4 years, 9 months ago by
-
AuthorPosts
You must be logged in to reply to this topic.