Search code examples
springspring-securityldapunboundid-ldap-sdk

Spring Embedded LDAP does not bind hashed passwords

I'm trying to implement Spring Boot LDAP Security, and I'm using the unboundid-ldapsdk embedded LDAP server for testing (like the tutorial here). I configured the web security to use LDAP Binding for authentication, and tested successfully using plaintext passwords. But if I change the password to a hashed version, the authentication fails. Am I missing some configuration?

Here's my security configuration:

@Configuration
@EnableWebSecurity
public class MyWebSecurityConfiguration extends WebSecurityConfigurerAdapter
{

    ...

    @Override
    protected void configure(AuthenticationManagerBuilder authenticationManagerBuilder)
        throws Exception
    {
        authenticationManagerBuilder.
            ldapAuthentication().
                userSearchFilter(this.ldapUserSearchFilter).
                userSearchBase(this.ldapUserSearchBase).
                contextSource(this.contextSource()).
                ldapAuthoritiesPopulator(this.authoritiesPopulator());
    }


    @Bean
    public DefaultSpringSecurityContextSource contextSource()
    {
        DefaultSpringSecurityContextSource securityContextSource =
            new DefaultSpringSecurityContextSource(
                Collections.singletonList(this.ldapUrl),
                this.ldapBaseDn);
        return securityContextSource;
    }

    ...

}

The embedded LDAP properties:

spring.ldap.embedded.ldif=classpath:ldap-test.ldif
spring.ldap.embedded.base-dn=dc=testing,dc=com
spring.ldap.embedded.port=8389

And the the LDIF file:

dn: dc=testing,dc=com
objectclass: top
objectclass: domain
objectclass: extensibleObject
dc: testing

dn: ou=TestingUsers,dc=testing,dc=com
objectclass: top
objectclass: organizationalUnit
ou: TestingUsers

dn: uid=testUser,ou=TestingUsers,dc=testing,dc=com
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: Blah_1
sn: Blah_2
uid: testingUser
userPassword: pass

Using these settings, I can authenticate with the username testingUser and password pass. But if I use the hashed password:

userPassword: {SHA}9d4e1e23bd5b727046a9e3b4b7db57bd8d6ee684

I cannot authenticate, and get this exception:

javax.naming.AuthenticationException: [LDAP: error code 49 - Unable to bind as user 'uid=testingUser,ou=TestingUsers,dc=testing,dc=com' because the provided password was incorrect.]

Thank you for your help!

UPDATE:

I found that with hashed passwords, I can authenticate by entering the hash itself, rather than the original password. So maybe unboundid-ldapsdk does not recognize the {SHA} notation?

Solution

  • I just stumbled upon the same problem and I filed a bug since hashed passwords seem not to be handled correctly by the library (I'm not sure whether they are supported at all).