Customized Password Storage Scheme

This topic contains 10 replies, has 4 voices, and was last updated by Profile photo of Ludo Ludo 3 weeks, 2 days ago.

  • Author
    Posts
  • #4176
    Profile photo of Juan Carlos Juan Carlos 
    Participant

    I want to create a new password storage scheme with a new algorithm I created to store passwords, I’m not using default password algorithms.

    What is the best way to get this? I know in Sun Java Directory Server it was done with some sort of plugin when a new algorithm was implemented but I just want to know what is the best recommendation with OpenDJ 2.6.0.

    Thank you

    #4179
    Profile photo of Ludo Ludo 
    Moderator

    In OpenDJ, all password storage scheme are implementing an interface, a pretty simple one.
    You might want to look at OpenDJ server code, the extensions folder and copy one of the scheme as a base for yours.
    Password Storage Scheme can have configuration and need to be declared in the configuration, so a custom storage scheme will need it configuration description in xml, to automatically generate the dsconfig client and server code.

    #14855
    Profile photo of iceleftd iceleftd 
    Participant

    I too have a need for a custom password storage scheme. I have written code that extends PasswordStorageScheme but I cannot find any documentation on how to install and configure it. Attempts to use dsconfig create-password-storage-scheme to configure it have not been successful.

    Does this documentation exist? If not, can you provide that information to the masses?

    #14888
    Profile photo of Ludo Ludo 
    Moderator

    I’m afraid this specific part has not been documented.
    But a custom password storage scheme should be installed like any extension (and this is documented in the plugin example delivered with OpenDJ).

    #14907
    Profile photo of iceleftd iceleftd 
    Participant

    I do not find the existence of the plugin sample source to be useful in solving my problem. For starters, you can’t build the example as it references things that are not in your repository.

    Furthermore, it is entirely unclear how a “plugin” becomes available as a custom password scheme. ExamplePlugin extends DirectoryServerPlugin and handles the STARTUP plugin type. None of the defined plugin types appear to be related to password processing. Also, none of your predefined password storage schemes are implemented as plugins.

    #14922
    Profile photo of Ludo Ludo 
    Moderator

    Sorry if I wasn’t clear. I didn’t say that custom password storage schemes were “plugin”. I said that you install them the same way as a plugin, i.e place the jar file and dependencies in the lib/extensions/ directory.
    Also, we’ve changed a lot how to build extensions in between 2.6.x and 3.x versions. With 2.6, the build is based on Ant and extensions should be built along with the remaining of the server’s code.
    It’s much simpler starting with version 3.5 and a Maven build. But it’s still not documented (it should be with the next major release).

    #14986
    Profile photo of iceleftd iceleftd 
    Participant

    Thank you Ludo for your assistance. Yesterday through experimentation I was able to add my custom scheme to the server as a extension, albeit with an error. My current hurdle is that a password scheme must reference a configuration class:

    public class MyStorageScheme extends PasswordStorageScheme<MyStorageSchemeCfg>

    I don’t need any configurable parameters (other than the standard enabled and java-class), and I don’t need localization like you do in your built-in scheme configurations, so this should be easy. I’ve tried reusing an existing config class and using my own, but I can’t seem to get the server to pass the right configuration class to my -type custom scheme.

    #15021
    Profile photo of Ludo Ludo 
    Moderator

    As far as I know, custom is not a valid type for a password storage scheme (at least not with dsconfig).

    #15023
    Profile photo of iceleftd iceleftd 
    Participant

    I only knew of the custom type because of the dsconfig create-password-storage-scheme help message:

    -t, –type {type}
    The type of Password Storage Scheme which should be created. The value for
    TYPE can be one of: aes | base64 | bcrypt | blowfish | clear | crypt |
    custom | md5 | pbkdf2 | pkcs5s2 | rc4 | salted-md5 | salted-sha1 |
    salted-sha256 | salted-sha384 | salted-sha512 | sha1 | triple-des

    I was able, however, to finally accomplish what I wanted to do. I took longer than I should have because I was sidetracked by some of the things I tried. Here are the steps that worked for me:

    1 – Write a custom storage scheme that uses an existing password storage config (salted-sha1 in this case). The class declaration was public class MyStorageScheme extends PasswordStorageScheme<SaltedSHA1PasswordStorageSchemeCfg>
    2 – Place a JAR containing my scheme (and other dependency JARS) in OpenDJ’s lib/extensions directory
    3 – Install my password storage scheme with a command like this:

    dsconfig –bindPassword ******* -D “cn=Directory Manager” –trustAll -h localhost -p 4444 create-password-storage-scheme –scheme-name MyScheme –type salted-sha1 –set enabled:true –set java-class:com.something.MyStorageScheme

    I didn’t solve the issue of how to use my own custom configuration class but that wasn’t necessary in this example. Thanks for your help Ludo.

    #15508
    Profile photo of andrew.schoewe@msci.com andrew.schoewe@msci.com 
    Participant

    I found this post very helpful. I need to do something similar. I’m a little confused about where to find the required jars to build my extension. Ludo, you mention this can be done through Maven for newer versions of OpenDJ. Is this the repository we would use to find the dependencies: https://maven.forgerock.org/repo ?

    If there is any draft documentation about building the custom password scheme, I would appreciate it. We’re looking to extend the SaltedSHA256PasswordStorageSchemeCfg for importing credentials from an outside system that used a slightly different hashing scheme.

    Thanks,
    Andrew

    #15555
    Profile photo of Ludo Ludo 
    Moderator

    @andrew-schoewemsci-com If you are a customer, you should find the information about the repository with the appropriate dependencies in the Knowledge Base on BackStage.
    I’ve started documenting how to build a custom password scheme (as a side project), there is no ETA yet, but it’s very similar to writing a plugin, except that it extends the PasswordStorageScheme interface.

Viewing 11 posts - 1 through 11 (of 11 total)

You must be logged in to reply to this topic.

©2017 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your username and password

Lost your password?

Forgot your details?