Hello all,

I've enabled the property passwords.encryption.algorithm=SSHA, but Liferay still exports the unecnrypted version of the password to LDAP. After debugging the source code a bit, it appears that Liferay only supports plaintext export of passwords to LDAP. Is this the case? Please take a look at the code snippet below:



The part where is says getPasswordUnencrypted() does not take into consideration whether LDAP actually wants it that way or not. I added the following change to the source code:

And now the password does get set properly in LDAP, however, this is very hackish... what is the trick here to having the password sent in the appropriate encryption to my LDAP server?

basically, what I am trying to figure out is if there is any "out of the box" support for sending passwords to LDAP with encryption, so that LDAP stores the passwords in an encrypted way. Or perhaps it is the LDAP server's responsibility to receive the clear text password over a secure connection and to encrypt it locally before storing?

I decided to update the code in BasePortalToLDAPConverter.java to take into account what encryption approach is being used for Liferay.

Original code:



Updated code:




As you case see, the main change that I have made is to wrap the original code in the initial "if" clause. I have added supplemental code to the "else" clase, to handle the case where some type of encryption is being used. The result of this, is that when Liferay is using some type of encryption scheme, the password sent to the LDAP server will be of the form {ENCRYPTION_SCHEME}encryptedPassword however, when no entryption is being used, a plaintext password will be sent to the LDAP server as is currently the default implementation in all cases.

I have attached a class file compatible with Liferay Portal version liferay-portal-tomcat-6.0.6-20110225

Simply overwrite your existing class file with this new one to gain specified functionality. Until a better solution becomes available, I'll be sticking with this approach.

You can download the new class file here: BasePortalToLDAPConverter.class

You should know that this only works with Apache DS. AD on the other hand requires UTF-16 encoded version of the plain text password and many other ldaps require the plain text password as they will do the hashing internally and not externally like Apache DS.

Thanks for the feedback, I really appreciate it. It would seem that the directory server should hash the password internally as you say, and I think this can be configured with a password storage option, that is not supported in the current version of Apache DS, hence this patch. I found that the jar file containing the class file to replace is webapps/ROOT/WEB-INF/lib/portal-impl.jar

If you'd like to contribute the solution we have a ticket for this LPS-19155. This needs to be made configurable through portal.properties. Also the hashing needs to be done on the fly for the plain text password as Liferay stores the hashed password differently (base64 encoded instead of hex encoded) than Apache DS expects it. You can send a pull request to me directly to https://github.com/mikakoivisto/liferay-portal or provide a patch agains trunk on the ticket. You just need to click contribute solution on the ticket after doing so.

Ok, I will take a look at it. For now I have tested it and I can change my password and re-login with no issues.

btw, I am using SSHA encoding in both Liferay and Apache DS

Hi Mika,

I have looked at the status of the related issues in Jira and it seems this has not been implemented yet, for neither Apache DS or a different LDAP server. Could you clarify whether it is, in fact, possible to store passwords in OpenLDAP in an encrypted form?

TIA