On Mon, Mar 9, 2009 at 13:08, Thomas Mortagne <thomas.mortagne(a)xwiki.com> wrote:
On Mon, Mar 9, 2009 at 11:47, Christophe GRAVIER
<christophe.gravier(a)telecom-st-etienne.fr> wrote:
Dear XWiki users,
I have been looking for authenticating my xwiki users against a LDAP
directory (OpenLdap, debian box), where the userPassword field is
encrypted using the SHA algorithm.
Unfortunately, I am not able to configure xwiki to encrypt the
password entered by the user before the authentication and
authorization process.
I receive the following snip, after enabling ldap logging in a custom
log4j.properties file as indicated in the doc:
com.xpn.xwiki.XWikiException: Error number 8001 in 8: LDAP
authentication failed: could not validate the password: wrong password
for uid=gravier.christophe,ou=xxx,o=yyyy,c=fr
The configuration is nevertheless good in overall, because I can log
in if I store my password as plain text binary in my LDAP server (but
I don't want it to be plain text in the LDAP server of course...).
I have been searching the documentation, FAQ and user/dev mailing
lists, and I only found encryption related to cookie storage, or SHA
encryption for xwiki-webdav module
(
http://xwiki.markmail.org/message/k2r2qqu2twjputml?q=ldap+SHA
) developpers' thoughts.
Does someone have any clue on how to configure xwiki for encrypted
userPassword stored in OpenLDAP please ?
I guess sent password encrypted to LDAP server would be the best for
security but anyway it's generally LDAP server work to encrypt
received password, not client. I have password in my LDAP server
(ApacheDS) stored encrypted and it works perfectly (it's even how I
always used it). I don't know OpenLDAP very well but it should have
some way to have encrypted password in the database even if the client
sent not encrypted password.
FYI in my ldif file it look like:
dn: cn=Horatio Hornblower,ou=people,o=sevenSeas
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
objectclass: top
cn: Horatio Hornblower
description: Capt. Horatio Hornblower, R.N
givenname: Horatio
sn: Hornblower
uid: hhornblo
mail: hhornblo(a)royalnavy.mod.uk
userpassword: {SHA}nU4eI71bcnBGqeO0t9tXvY1u5oQ=
note the "{SHA}" suffix in the password value.
If encrypt the password on the client side is really needed you should
add an issue on
Best Regards,
Ch. Gravier
--
Dr.-Ing. Christophe Gravier
DIOM laboratory -
http://diom.telecom-st-etienne.fr/
TELECOM Saint-Étienne (formerly "Istase") -
http://www.telecom-st-etienne.fr/
Jabber ID : gravier.christophe(a)jabber.istase.com
Homepage:
http://diom.telecom-st-etienne.com/public/cgravier/
Research project:
http://diom.istase.fr/satin/einst/
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
--
Thomas Mortagne