Thursday Oct 03, 2013

Reusing passwords encoded with custom hash in OUD

Existing user passwords can be easily migrated to OUD as long as they are hashed with an algorithm supported OOTB by Oracle Unified Directory. The list of password storage schemes supported by OUD is available at http://docs.oracle.com/cd/E22289_01/html/821-1278/password-storage-scheme.html

In some situations, legacy passwords to be migrated are hashed with custom algorithms or old hash algorithms not supported by OUD.  The OUD Extensible Framework can be used to reuse these passwords and migrate them transparently to a new & configurable password storage scheme, without forcing users to change their password.

The proposed plugin intercepts bind requests and add pre&post processing to handle custom algorithm and migrate the password to a new scheme. Here is the high level algorithm:

§1. Plugin intercepts LDAP bind request as a pre-operation plugin

§2. Determine if the password stored in the user entry has a custom hash tag e.g {Custom}

§3a. If the entry has the custom hash, then hash the clear text password provided by the LDAP client using the custom password hash.

§3b. If the entry does not have the custom hash, the skip to step 6

§4. Compare the hashed value computed from the clear text password with the custom hash contained in the entry.

§5. If the hash compare matches, then replace the existing custom hashed password with the hash algorithm defined by the default password hash storage scheme.

§6. Then pass the bind through to OUD to bind.

§7. OUD will hash the clear text value using the default password hash storage scheme and compare with the value in the directory.

Step 6 always forwards the bind request to the OUD core server to make sure the password policy states are properly updates.

User passwords are migrated progressively over time to the new password storage scheme as users authenticate to the OUD directory. The plugin can them be desactivated when all the passwords have been migrated.


Thursday Feb 18, 2010

Browsing LDAP services from within Netbeans

Just to let you know that Allan Lykke Christensen has just released a new version of the LDAP explorer for Netbeans.
LDAP Explorer is a module for NetBeans providing a simple interface for browsing LDAP services from within NetBeans. 

You can download the latest release from the NetBeans Plugin Portal, http://plugins.netbeans.org/PluginPortal/faces/PluginDetailPage.jsp?pluginid=25684
More info on Allan's blog at http://blogs.i2m.dk/allan/

About


I am Sylvain Duloutre, I work as a Software Architect in the Oracle Directory Integration Team, the customer-facing part of Directory Services & Identity Management Product Development, working on Technical Field Enablement.

The views expressed on this blog are my own and do not necessarily reflect the views of Oracle.

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
9
10
11
12
13
14
16
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today