Search code examples
c#ldapdirectoryentry

Hash password before validate with LDAP

I have a web-based-tool. On the login-form, the password will hashed before sending it. All fine, the database stores only hashed passwords.

Now, we want a login with LDAP over DirectoryEntry. But the constructor only accepts plain passwords.

My question: How can I pass hashed passwords to DirectoryEntry-class?

Current method:

    public bool isAuthenticated(string domain, string username, string pwd)
    {
        string domainAndUsername = domain + @"\" + username;
        DirectoryEntry entry = new DirectoryEntry(_path, domainAndUsername, pwd);

        try
        {
            Object obj = entry.NativeObject;
            return true;
        }
        catch
        {
            return false;
        }
    }
Solution

  • I do not know C#, but as far as LDAP protocol goes, there is no way to authenticate with an already hashed password.

    Why do you need to hash the password before transmitting it?

    If it is to avoid transmitting it over the network, the easiest solution to use would be to connect to the LDAP directory over SSL.

    As a side note, IMO, transmitting the hashed password is less secure than the clear one :

    • If the attacker intercept the request, he will be able to authenticate with the data he found either way
    • If the attacker succeed in dumping the database and retrieve the hashed password, if all he needs to do is to transmit that to authenticate, it renders the fact to store hashed the password useless

    Edit : Additionnal information

    I don't know which LDAP directory you use, but on OpenLDAP, you could implement this kind of mechanism if you don't use the bind operation (for example, you won't be able to use the password policy overlay).

    You can implement a SASL Proxy Authorization to :

    • connect to the directory with a technical account
    • search and retrieve the entry user which tries to login
    • test on the custom hashed password attribute if the hashed provided is the stored one
    • rebind with another technical account with a proxy authorization to act as this user

    It will allows you to still benefit from the ACL mechanism and logging system for users operations performed

    BUT: This will be available only on OpenLDAP (or if another LDAP implemenation offer the same mechanism) and it is not really the most state of the art about the LDAP protocol ;)