2

I'm currently trying to implement BCrypt with LDAP in my Spring Security. The question I have is does LDAP support this, and if so, how do I implement? Looking at the image below, I do not see BCrypt as an option within the Password Editor view in the LDAP perspective. My current Basic authentication works with plain-text passwords; however, I would like to enhance the security.

LDAP Options within Editor of LDAP perspective

My current security-context.xml is:

<authentication-manager>
        <ldap-authentication-provider 
        user-search-filter="(uid={0})" 
        user-search-base="ou=users,${ldap.base}" 
        group-search-filter="(uniqueMember={0})"
        group-search-base="ou=roles,${ldap.base}" 
        group-role-attribute="cn" 
        role-prefix="ROLE_">


        </ldap-authentication-provider>

    </authentication-manager>

How do I implement BCrypt in my case? I read somewhere that we may have to use UserDetailsService?

Any help would be greatly appreciated. Thanks.

Improve this question
1
  • Just use whatever your LDAP server does support. BCrypt isn't in that list. Commented Aug 19, 2014 at 21:45

1 Answer 1

Reset to default
4

It sounds like you may be misunderstanding what enabling bcrypt (or any other hash) would actually achieve, and where it would be implemented. It wouldn't make any difference to how basic authentication works, for example. That would still send the password to your application in plain text. The password hashing would then be done on the server side and checked against the stored hashed value. In a non-LDAP app, Spring Security would do this validation, after loading the password hash from a database.

LDAP adds another layer. In this case, Spring Security is a client of the LDAP server and will use the supplied username and password in an LDAP bind operation to attempt to authenticate as the user. Again the password is sent in plaintext, and this time the hashing and comparison is done by the LDAP server.

So if your aim is to secure passwords in transit, hashing is irrelevant. That is why you need to use a secure connection.

In theory, you could use LDAP more like a database, store the passwords in whatever hash format you wish, and have Spring Security read them and do the validation itself. This is possibly the UserDetailsService option you refer to. However that isn't normal practice, it would likely break the use of bind authentication (since the LDAP server itself wouldn't understand the password encoding), and it would require giving read access to the password field, which is usually frowned on.

So as @EJP says, you should probably stick with an SSHA option and use a secure connection to your application, and possibly to your LDAP server as well.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thanks for your input, Luke. In this case, we'll have to go with an option supported by LDAP. Although we would have preferred to use BCrypt.
wait what's stopping someone from hashing the password on application side after registration and after login before sending it ?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.