search

OpenIdentityPlatform / OpenDJ

OpenDJ is an LDAPv3 compliant directory service, which has been developed for the Java platform, providing a high performance, highly available, and secure store for the identities managed by your organization. Its easy installation process, combined with the power of the Java platform makes OpenDJ the simplest, fastest directory to deploy and manage.
https://www.openidentityplatform.org/opendj
Other
368 stars 102 forks source link

Add support for PBKDF2-HMAC-SHA256 password encoding #227

Closed lscorcia closed 2 years ago

lscorcia commented 2 years ago

Is your feature request related to a problem? Please describe. I need to import into an OpenDJ instance users from Django applications that store passwords in the PBKDF2-HMAC-SHA256 format, i.e.:

testing -> pbkdf2_sha256$15000$Pjun1TMGEQnM$lShdzU33covbDNiqGVDffdHh/86VaECJlaaNXchT0ew=

The value above is composed of <algorithm>$<iterations>$<ascii_salt>$base64(<digest>). With some jigglery I can convert it to {PBKDF2-HMAC-SHA256}<iterations>:base64(<digest><salt>) which is its standard representation used in LDAP projects:

{PBKDF2-HMAC-SHA256}15000:lShdzU33covbDNiqGVDffdHh/86VaECJlaaNXchT0exQanVuMVRNR0VRbk0=

Describe the solution you'd like I need to add to OpenDJ the additional encryption scheme PBKDF2-HMAC-SHA256. It is essentially the same as PBKDF2, it just uses SHA256 as the hashing function instead of the older SHA1.

Additional context This is already supported in Forgerock DS7 (https://backstage.forgerock.com/knowledge/kb/book/b99437584#M03kaX), together with the SHA512 variant.

lscorcia commented 2 years ago

After a few hours, it does not seem difficult to generalize the PBKDF2 implementation for other digest types. I will try to provide a PR.

lscorcia commented 2 years ago

PR is ready for review.

lscorcia commented 2 years ago

Closed as merged.

maxfieb commented 1 year ago

It seems this was mentioned in the last release of the 4.4 tree, 4.4.15

But has not been released in the current 4.5.x tree for a default server install, is this an oversight ?

The template/config/config.ldif for 4.4.15 has this, as does 4.5.4, but it does not appear in a new 4.5.4 server under the cn=config backend, under cn=Password Storage Schemes,cn=config ( a default server setup )

The root DSA "" of a new 4.5.4 server has supportedAuthSchemes only for PBKDF2, no PBKDF2-HMAC-SHA-(256/512) entries.

dn: cn=PBKDF2-HMAC-SHA256,cn=Password Storage Schemes,cn=config objectClass: top objectClass: ds-cfg-password-storage-scheme objectClass: ds-cfg-pbkdf2-password-storage-scheme objectClass: ds-cfg-pbkdf2-hmac-sha256-password-storage-scheme cn: PBKDF2-HMAC-SHA256 ds-cfg-java-class: org.opends.server.extensions.PBKDF2HmacSHA256PasswordStorageScheme ds-cfg-enabled: true

dn: cn=PBKDF2-HMAC-SHA512,cn=Password Storage Schemes,cn=config objectClass: top objectClass: ds-cfg-password-storage-scheme objectClass: ds-cfg-pbkdf2-password-storage-scheme objectClass: ds-cfg-pbkdf2-hmac-sha512-password-storage-scheme cn: PBKDF2-HMAC-SHA512 ds-cfg-java-class: org.opends.server.extensions.PBKDF2HmacSHA512PasswordStorageScheme ds-cfg-enabled: true