Uploaded image for project: 'OpenDJ'
  1. OpenDJ
  2. OPENDJ-6538

Pass Through Policy ignores the Cached Password Storage Settings

    Details

    • Type: Bug
    • Status: Done
    • Priority: Major
    • Resolution: Not a defect
    • Affects Version/s: 6.5.2, 6.5.1, 6.5.0, 6.0.0, 7.0.0
    • Fix Version/s: Not applicable
    • Component/s: core server, security
    • Labels:
      None
    • Story Points:
      0
    • Support Ticket IDs:

      Description

      If a pass-through authentication policy uses a cached-password-storage-scheme, the scheme is ignored when the entry is added or imported.

      dn: cn=My Pass Through Test Pol,cn=Password Policies,cn=configobjectClass: top
      objectClass: ds-cfg-authentication-policy
      objectClass: ds-cfg-ldap-pass-through-authentication-policy
      cn: Pass Thru
      ds-cfg-cached-password-storage-scheme: cn=Salted SHA-384,cn=Password Storage Schemes,cn=config
      ds-cfg-java-class: org.opends.server.extensions.LDAPPassThroughAuthenticationPolicyFactory
      ds-cfg-mapping-policy: unmapped
      ds-cfg-primary-remote-ldap-server: localhost:636
      ds-cfg-use-password-caching: true

      Add entry:

      opendj; bin /$ ./ldapmodify --port 1636 --useSsl --TrustAll --bindDN "cn=Directory Manager" --bindPasswordFile pass <<"EOF"
      > dn: uid=user.0,ou=People,dc=example,dc=com
      > changetype: add
      > objectClass: top
      > objectClass: person
      > objectClass: organizationalPerson
      > objectClass: inetOrgPerson
      > cn: Aaccf Amar
      > description: This is the description for Aaccf Amar.
      > employeeNumber: 0
      > givenName: Aaccf
      > homePhone: +1 225 216 5900
      > initials: ASA
      > l: Panama City
      > mail: user.0@example.com
      > mobile: +1 010 154 3228
      > pager: +1 779 041 6341
      > postalAddress: Aaccf Amar$01251 Chestnut Street$Panama City, DE  50369
      postalCode: 50369
      sn: Amar
      st: DE
      street: 01251 Chestnut Street
      telephoneNumber: +1 685 622 6202
      uid: user.0
      userPassword: MyS@mple01
      ds-pwp-password-policy-dn: cn=My Pass Through Test Pol,cn=Password Policies,cn=config
      EOF> postalCode: 50369
      > sn: Amar
      > st: DE
      > street: 01251 Chestnut Street
      > telephoneNumber: +1 685 622 6202
      > uid: user.0
      > userPassword: MyS@mple01
      > ds-pwp-password-policy-dn: cn=My Pass Through Test Pol,cn=Password Policies,cn=config
      > EOF
      # ADD operation successful for DN uid=user.0,ou=People,dc=example,dc=com

      The entries password stored in the clear

      opendj; bin /$ ./ldapsearch --port 1636 --useSsl --TrustAll --bindDN "cn=Directory Manager" --bindPasswordFile pass --baseDN dc=example,dc=com uid=user.0 ds-pwp-password-policy-dn userPassword createTimestamp
      dn: uid=user.0,ou=People,dc=example,dc=com
      userPassword: MyS@mple01
      createTimestamp: 20190817211751Z
      ds-pwp-password-policy-dn: cn=My Pass Through Test Pol,cn=Password Policies,cn=config

      Imported entry:

      While the userPassword is not stored in the clear, it is hashed with the Default Storage Scheme, not the Cached Storage Scheme from the Pass-Through Policy.

      opendj; bin /$ ./ldapsearch --port 1636 --useSsl --TrustAll --bindDN "cn=Directory Manager" --bindPasswordFile pass --baseDN dc=example,dc=com uid=user.0 ds-pwp-password-policy-dn userPassword createTimestamp
      dn: uid=user.0,ou=People,dc=example,dc=com
      userPassword: {SSHA512}JL2+Cf7OQls0GzSrN12CV5sfpmqvoDBT1v/zo3mf8TMCJnBXDBDp3HOzY6XHMZn4amrkDpDLT9tXkxyt5vmFnrpIMdOshmAB

       

       

        Attachments

          Activity

            People

            • Assignee:
              matthew Matthew Swift
              Reporter:
              lee.trujillo Lee Trujillo
              Dev Assignee:
              Matthew Swift
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: