Issue in adding users with pre-encoded-password

This topic contains 11 replies, has 5 voices, and was last updated by  Ludo 3 months, 1 week ago.

  • Author
    Posts
  • #10447
     sharad.jash 
    Participant

    Dear Forgerock team,
    I’m also facing similar issue.
    I have a user in db from which I have tried to add an entry using ldapmodify.Following are the changes that have been done–
    1. In Default password policy– default-password-storage-scheme changed to MD5 from SSHA
    2. Also configured allow-pre-encoded-passwords:true

    My Ldif file looks like this

    dn: uid=sharad.jade,ou=People,dc=xyz,dc=plr,dc=com
    changetype: add
    cn:SHARAD JADE
    sn:JADE
    givenName:SHARAD
    objectClass: top
    objectClass: organizationalPerson
    objectClass: person
    objectClass: inetOrgPerson
    userPassword: {MD5}$P$DPFQ4bTgaBy3Qpdb5yBFV71K13JRTi/

    Is there anything that I’m missing?

    #10448
     Ludo 
    Moderator

    What is the “similar” problem you are facing ? Any error message ? You are describing what you do but not what is the problem !

    #10450
     Mark Craig 
    Participant

    Hi,

    With OpenDJ directory server built from the current master branch a couple of days ago, I don’t see the problem.

    What I’m doing is very slightly different: I set only the advanced property allow-pre-encoded-passwords:true on the Default Password Policy, and then add a version of your entry that works with my example data (dc=example,dc=com is the suffix):

    $ ldapmodify -p 1389 -D "cn=Directory Manager" -w password
    dn: uid=sharad.jade,ou=People,dc=example,dc=com
    changetype: add
    cn:SHARAD JADE
    sn:JADE
    givenName:SHARAD
    objectClass: top
    objectClass: organizationalPerson
    objectClass: person
    objectClass: inetOrgPerson
    userPassword: {MD5}$P$DPFQ4bTgaBy3Qpdb5yBFV71K13JRTi/
    
    Processing ADD request for uid=sharad.jade,ou=People,dc=example,dc=com
    ADD operation successful for DN uid=sharad.jade,ou=People,dc=example,dc=com
    $ ldapsearch -p 1389 -D "cn=Directory Manager" -w password -b dc=example,dc=com "(uid=sharad.jade)" userPassword
    dn: uid=sharad.jade,ou=People,dc=example,dc=com
    userPassword: {MD5}$P$DPFQ4bTgaBy3Qpdb5yBFV71K13JRTi/

    What version of OpenDJ are you using to reproduce the problem?
    And what is the error message that you are seeing?

    #10451
     Mark Craig 
    Participant

    By the way, the same test works if I first change the Default Password Policy storage scheme to MD5.

    #10456
     sharad.jash 
    Participant

    Hi…

    @ludo :Just typing this on a different post! that why written similar
    Problem is when I try to login with my login credentials it is saying Authentication failed.

    @mark : I already changed my default Password Policy storage scheme to MD5 and also the allow-pre-encoded-passwords to true
    I’m using Open-DJ 3

    Here is my policy in brief…

    >>>> Configure the properties of the Default Password Policy

    Property Value(s)
    ———————————————————————-
    1) account-status-notification-handler –
    2) allow-expired-password-changes false
    3) allow-multiple-password-values false
    4) allow-pre-encoded-passwords true
    5) allow-user-password-changes true
    6) default-password-storage-scheme MD5
    7) deprecated-password-storage-scheme –
    8) expire-passwords-without-warning false
    9) force-change-on-add false
    10) force-change-on-reset false
    11) grace-login-count 0
    12) idle-lockout-interval 30 s
    13) java-class org.opends.server.core.Pass
    wordPolicyFactory
    14) last-login-time-attribute –
    15) last-login-time-format –
    16) lockout-duration 0 s
    17) lockout-failure-count 0
    18) lockout-failure-expiration-interval 0 s
    19) max-password-age 0 s
    20) max-password-reset-age 0 s
    21) min-password-age 0 s
    22) password-attribute userPassword
    23) password-change-requires-current-password false
    24) password-expiration-warning-interval 5 d
    25) password-generator Random Password Generator
    26) password-history-count 0
    27) password-history-duration 0 s
    28) password-validator –
    29) previous-last-login-time-format –
    30) require-change-by-time –
    31) require-secure-authentication false
    32) require-secure-password-changes false
    33) skip-validation-for-administrators false
    34) state-update-failure-policy reactive

    ?) help
    f) finish – apply any changes to the Default Password Policy
    c) cancel
    q) quit

    Enter choice [f]:

    • This reply was modified 3 years, 3 months ago by  sharad.jash.
    • This reply was modified 3 years, 3 months ago by  sharad.jash.
    #10459
     Ludo 
    Moderator

    So, the problem is not with adding the entry, the problem is with authenticating with the password after.
    The MD5 string doesn’t seem to match a password that would be encoded with the same MD5 algorithm implemented in OpenDJ.

    Where is that value coming from ? Which process encoded it ? What is the algorithm to hashing and producing the string ? The fact that it starts with $P$ seems to indicate that it’s not Linux /etc/shadow…

    #10461
     sharad.jash 
    Participant

    @ludo: Thanks for your reply

    Yes you are correct the problem is not with adding a user.Problem is with authenticating a user.

    Yes,its not a Linux password ,the password value coming from a db field.It is encoded by MD5 hash algorithm.

    #10464
     Chris Ridd 
    Participant

    Try my Crypt suggestion in the other thread.

    • This reply was modified 3 years, 3 months ago by  Chris Ridd.
    #10466
     Ludo 
    Moderator

    The issue is that the algorithm used to encode this field in the DB is not identical to the algorithm used in OpenDJ MD5 Password Storage Scheme (which is defined as below).

    /**
     * This class defines a Directory Server password storage scheme based on the
     * MD5 algorithm defined in RFC 1321.  This is a one-way digest algorithm
     * so there is no way to retrieve the original clear-text version of the
     * password from the hashed value (although this means that it is not suitable
     * for things that need the clear-text password like DIGEST-MD5).  This
     * implementation does not perform any salting, which means that it is more
     * vulnerable to dictionary attacks than salted variants.
     */
    

    The value of the hash is then base64encoded and prefixed with {MD5}.

    Note that OpenDJ also has a “SaltedMD5 Password Storage Scheme” which does a MD5 hash of the secret with a salt, and then append the salt and base64 encode the result.

    #25758
     007bidder 
    Participant

    I am having the problem where the userpassword is not add to the user account

    adding new entry “uid=dodobrown,ou=people,dc=company,dc=com”

    dn: uid=dodobrown,ou=people,dc=company,dc=com
    uid: dodobrown
    mail: dodobrown@company.com
    cn: Dodo Brown
    sn: Brown
    givenName: Dodo
    userPassword: {SSHA}KTk2O4NIXcqnmK6eOTgOWejXxzqAMQBH+Hr2VQ==
    =
    gidNumber: 20884
    uidNumber: 20884
    homeDirectory: /home/dodobrown
    loginShell: /bin/bash
    objectClass: top
    objectClass: inetorgperson
    objectClass: organizationalPerson
    objectClass: person
    objectClass: posixAccount

    everything is added to the directory except userPassword

    I have set default password policy to the suggested setting above and this still happens

    #25760
     007bidder 
    Participant

    here is my configuration

    >>>> Configure the properties of the Default Password Policy

    Property Value(s)
    ——————————————————————–
    1) account-status-notification-handler –
    2) allow-expired-password-changes false
    3) allow-user-password-changes true
    4) default-password-storage-scheme Salted SHA-1
    5) deprecated-password-storage-scheme –
    6) expire-passwords-without-warning false
    7) force-change-on-add false
    8) force-change-on-reset false
    9) grace-login-count 0
    10) idle-lockout-interval 0 s
    11) last-login-time-attribute –
    12) last-login-time-format –
    13) lockout-duration 0 s
    14) lockout-failure-count 0
    15) lockout-failure-expiration-interval 0 s
    16) max-password-age 0 s
    17) max-password-reset-age 0 s
    18) min-password-age 0 s
    19) password-attribute userPassword
    20) password-change-requires-current-password false
    21) password-expiration-warning-interval 5 d
    22) password-generator Random Password Generator
    23) password-history-count 0
    24) password-history-duration 0 s
    25) password-validator –
    26) previous-last-login-time-format –
    27) require-change-by-time –
    28) require-secure-authentication false
    29) require-secure-password-changes false

    ?) help
    f) finish – apply any changes to the Default Password Policy
    q) quit

    #25768
     Ludo 
    Moderator

    I don’t believe that everything is added but userPassword.

    With ForgeRock Directory Services / OpenDJ, the entry is fully added or not, and then the Add operation gets rejected with an explicit error message.

    However, it is possible that the user searching for the entry is not authorized to read the userPassword in which case it would appear to be missing from the entry.

Viewing 12 posts - 1 through 12 (of 12 total)

You must be logged in to reply to this topic.

©2019 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?