[
https://issues.apache.org/jira/browse/SYNCOPE-313?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14026394#comment-14026394
]
Francesco Chicchiriccò commented on SYNCOPE-313:
------------------------------------------------
After some reference tests with {{-Pdebug}} I think I've finally got your point.
When I create an user via {{ldapadd}} with password 'password', the actual
value using {{SHA1}} is
{code}
{SSHA}nuCQ3hYajf2HUcfdIUj48C5eqA7x94ks
{code}
hence it is safe to assume that a similar value will be returned by the LDAP
connector.
However, on Syncope's internal storage, the same password value ('password')
encrypted using {{SHA1}} results in
{code}
5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8
{code}
which is the same value - apart from letter case - returned, for example, by
internal MySQL function:
{code}
mysql> select sha1('password');
+------------------------------------------+
| sha1('password') |
+------------------------------------------+
| 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 |
+------------------------------------------+
{code}
and also the same value generated by the DBTable connector when configured with
{{SHA1}} as "Password cipher algorithm":
{code}
5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8
{code}
Besides the letter case (should we worry about this anyway?), do you think that
it is reliable to empower Commons Codec to convert HEX digests to BASE64 and
vice-versa:
{code}
byte[] decodedHex = Hex.decodeHex(hex);
byte[] encodedHexB64 = Base64.codeBase64(decodedHex);
{code}
If this works for our purposes, I don't think there is need to change
{{PasswordEncoder}}'s behavior, e.g. leave everything to HEX and only handle
BASE64->HEX conversion in {{LDAPPasswordSyncActions}} (or any other password
sync actions for resources using BASE64 digest).
WDYT?
> Support synchronizing non-cleartext passwords from external resources
> ---------------------------------------------------------------------
>
> Key: SYNCOPE-313
> URL: https://issues.apache.org/jira/browse/SYNCOPE-313
> Project: Syncope
> Issue Type: Improvement
> Reporter: Colm O hEigeartaigh
> Assignee: Colm O hEigeartaigh
> Fix For: 1.2.0
>
>
> Currently we can synchronize cleartext passwords from external resources.
> However, we can't handle non-cleartext passwords, as they get treated as if
> they are plaintext passwords when imported into Syncope, and hence hashed
> again according to user.cipherAlgorithm().
> This task is to treat an imported password as hashed according to a give
> cipher algorithm configured on the connector (for example via 'Password
> Cipher Algorithm' for the DB Connector).
> This is specific to each individual connector, as for example for the DB
> Connector, it might just be a hashed value stored in a table, whereas for
> LDAP it'll be of the form "CIPHER}VALUE" etc.
> Note that we we cannot refer to any specific connector bundle from inside the
> SyncopeSyncResultHandler, hence we should find the cleanest place to
> encapsulate the following logic:
> if (password.isClearText()) {
> // do as currently done
> } else {
> if (connector.isLDAP()) {
> // extract cipher and value
> } else if (connector.isDBTable()) {
> // treat value as ciphered with the cipher defined in connector
> configuration
> } else {
> ...
> }
> }
--
This message was sent by Atlassian JIRA
(v6.2#6252)
