Liz Douglass

Archive for November 2008

Verifying encrypted passwords in OpenDS

leave a comment »

On our project we are using OpenDS as our LDAP directory service, as Damana and Mark have blogged about. A couple of weeks ago we wanted to add the ability to store encrypted passwords for our users. We discovered that OpenDS can do this for us (yay), meaning that we can enter new users into our system along with their clear text password and OpenDS will handle the encryption for us. This discovery lead to the question… how do we verify that the encrypted value actually matches the clear/plain text version we entered? There were a couple of testing alternatives that we considered:

1. Export the data for all users with the passwords in plain/clear text and verify that each matches the input value
2. Reverse engineer the clear/plain text password from the encrypted password
3. Attempt to log on as the user with their clear/plain text password

Option 1 sounded like it would minimise our testing time so we went investigated this one first. Other tests already in our code base use the OpenDS ldapsearch command line utility to query the contents of the directory server. This utility was an obvious place to start… except the search results returned did not include the password field at all… hmph…

We found out that the ldapsearch utility also has bindDN and bindPassword arguments and that it is possible to bind as the Directory Manager and see the encrypted value of the password for each user. Whilst it’s all well and good to verify that the passwords are stored in encrypted format, how do we check that they are not gibberish? The ldapsearch utility just did not have what we were after. We were hopeful that we could export the contents of the whole system (including the passwords in plain text) using another of the provided utilities, but weren’t successful in finding a way to do this.

Turning to alternative number 2 we hit upon another command line utility called encode-password. Initially we tried to use this utility to convert the known encrypted password back into plain text, but soon realised that the list of available encryption schemes did not include the SHA1 algorithm that we were using to encrypt the passwords! Then we discovered that the same utility has something called verify password mode (drumroll):

Validate password mode: Determine whether a given clear-text password is correct for a provided encoded password. In this mode, both a clear-text password (either from –clearPassword or –clearPasswordFile) and an encoded password (either from –encodedPassword or –encodedPasswordFile) are required

That meant that in our tests we could do something like this:

encode-password --clearPassword #{clear_text_password} --encodedPassword #{encrypted_password}

And then verify that the returned result was:

The provided clear-text and encoded passwords match

We ended up using this tool as well as alternative number 3 for testing (our earlier discovery of the ability to bind as a particular user in the ldapsearch utility meant that we could effectively test a users ability to ‘login’ using their plain text password and query their own details).

Written by lizdouglass

November 16, 2008 at 10:05 am