Does LDAP store user password in clear text or as encoded text?

0
votes

I am going through this spring LDAP integration article: https://spring.io/guides/gs/authenticating-ldap/

This article contains a sample LDIF file, where the passwords are presented in clear text.

dn: uid=bob,ou=people,dc=springframework,dc=org
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: Bob Hamilton
sn: Hamilton
uid: bob
userPassword: bobspassword

But this users password is encrypted

dn: uid=ben,ou=people,dc=springframework,dc=org
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: Ben Alex
sn: Alex
uid: ben
userPassword: $2a$10$c6bSeWPhg06xB1lvmaWNNe4NROmZiSpYhlocU/98HNr2MhIOiSt36

so just wondering, is this something configurable on the LDAP server. And how come one users password is encrypted while other users password or not?

How Ever, i see the spring security in this example is configured to use BCrypt Password Encoder.

@Override
  public void configure(AuthenticationManagerBuilder auth) throws Exception {
    auth
      .ldapAuthentication()
        .userDnPatterns("uid={0},ou=people")
        .groupSearchBase("ou=groups")
        .contextSource()
          .url("ldap://localhost:8389/dc=springframework,dc=org")
          .and()
        .passwordCompare()
          .passwordEncoder(new BCryptPasswordEncoder())
          .passwordAttribute("userPassword");
  }

and the demo user suggested for login is ben with password benpassword. Just wondering what would happen if I login as another user, I guess I should be denied as spring's using bcrypt and the passwords of other users in ldap are not encoded.

1
spring-securityldapspring-ldapspring-security-ldap

1 Answers

2
votes

It would depend on the LDAP server, specifically, how passwords are handled. But, yeah, they're generally stored in some encrypted/hashed fashion. In the Oracle Directory Server, for example, password policies have a "Password storage scheme" which controls how the password is stored. In some directory servers, it's possible to store user passwords in clear text. In that case, anyone with read access to the passwords would be able to pull the password off of the user account. Not something I've seen set up outside of a sandbox.

The LDIF you're looking at feeds the password in to the server as clear text but the server would hash/encrypt the value based on the server / password policy configuration before storing it on the object.