New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create Authorization Script to check BCrypt Hash #753

Closed
afroDC opened this Issue Feb 23, 2018 · 12 comments

Comments

Projects
None yet
7 participants
@afroDC
Contributor

afroDC commented Feb 23, 2018

Our default encryption method for stored passwords in OpenLDAP from 3.0.* to 3.1.2 is BCrypt. OpenDJ does not support BCrypt, so we need to develop an authorization script that utilizes a python library that can verify the passwords using this hashing algorithm.

Here is one example:

http://passlib.readthedocs.io/en/stable/index.html

http://passlib.readthedocs.io/en/stable/lib/passlib.hash.bcrypt.html

>>> from passlib.hash import bcrypt

>>> # generate new salt, hash password
>>> h = bcrypt.hash("password")
>>> h
'$2a$12$NT0I31Sa7ihGEWpka9ASYrEFkhuTNeBQ2xfZskIiiJeyFXhRgS.Sy'

>>> # the same, but with an explicit number of rounds
>>> bcrypt.using(rounds=13).hash("password")
'$2b$13$HMQTprwhaUwmir.g.ZYoXuRJhtsbra4uj.qJPHrKsX5nGlhpts0jm'

>>> # verify password
>>> bcrypt.verify("password", h)
True
>>> bcrypt.verify("wrong", h)
False

@afroDC afroDC added the bug label Feb 23, 2018

@afroDC afroDC added enhancement and removed bug labels Feb 23, 2018

@yurem

This comment has been minimized.

Contributor

yurem commented Feb 26, 2018

We also can try to use this method during user entries migration to LDAP server which not supports BCrypt

@nynymike

This comment has been minimized.

Contributor

nynymike commented Feb 26, 2018

image

title Bcrypt migration
user->browser: enter password
browser->oxAuth: /authorize
oxAuth->oxAuth: bcrypt password
oxAuth<->LDAP: retrieve bcrypted password i.e. {bcrypt}xyzabc
oxAuth->oxAuth: compare bcrypted passwords
opt if match
oxAuth<->ldap: store password (use clear text)
ldap->ldap: hash password
ldap->oxAuth:
end
oxAuth->browser: response
@mzico

This comment has been minimized.

Contributor

mzico commented Jun 18, 2018

@sahiliamsso : Changing the priority of this issue... couple of customers are waiting for this.

@colonha

This comment has been minimized.

colonha commented Jun 18, 2018

Maybe upgrade Opendj to version 3.5 which support Bcrypt?

OpenDJ directory server now implements a Bcrypt password storage scheme that uses the bcrypt message digest algorithm

https://bugster.forgerock.org/jira/browse/OPENDJ-2435

@afroDC

This comment has been minimized.

Contributor

afroDC commented Jun 18, 2018

@colonha As far as I know, OpenDJ 3.5 is not open source.

@colonha

This comment has been minimized.

colonha commented Jun 18, 2018

I read this on their website.

OpenDJ is free to download, evaluate, and use for developing your applications and solutions. You can obtain and modify the source code to build your own version. ForgeRock offers training and support subscriptions to help you get the most out of your deployment.

@afroDC

This comment has been minimized.

Contributor

afroDC commented Jun 18, 2018

@colonha can you link to the source for OpenDJ 3.5 or greater?

@willow9886 willow9886 added this to the 3.1.4 milestone Jun 18, 2018

@colonha

This comment has been minimized.

colonha commented Jun 18, 2018

I tried but a subscriptions is required. Since they claim you can obtain and modify by your own i'm trying to contact them.

This version can only be downloaded with an active subscription

@nynymike

This comment has been minimized.

Contributor

nynymike commented Jun 18, 2018

Another option, I added an issue to gluu-opendj

Add Bcrypt

@afroDC

This comment has been minimized.

Contributor

afroDC commented Jun 19, 2018

@sahiliamsso

This comment has been minimized.

Contributor

sahiliamsso commented Jun 20, 2018

I have verified this script is working fine. Below are the steps I followed

  • Installed Gluu 3.0.2
  • Imported 20 test users
  • Followed upgrade steps from 3.0.2 to 3.1.3
  • Verified all users are available in 3.1.3
  • Tried to login with test users -> FAILED authentication
  • Enabled Bicrypt Authentication script
  • Verified all test Users are able to login
  • Disabled Bicrypt authentication scipt
  • Verified test users still able to login
  • Verified negative test scenarios by providing empty/invalid password
@yurem

This comment has been minimized.

Contributor

yurem commented Aug 22, 2018

sahiliamsso added a commit that referenced this issue Aug 28, 2018

Create pwd_migration.py
Fixed @GluuFederation/oxAuth/issues/753
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment