mirror of https://github.com/OpenIdentityPlatform/OpenDJ.git
parent: df0db46e | patch | commit | show whitespace
neil_a_wilson
21.09.2006 0bd16bc948ad073b128c03e4713105212e072b2b 
Add a new password policy for root users to isolate them from changes to the
default policy and to make it more obvious that root users are subject to
password policy enforcement.  The new password policy is the same as the
default policy with the following exceptions:

- The default password storage scheme has been changed from SSHA to SSHA512
- There is no default password generator
- Password changes require that the current password be provided

OpenDS Issue Number:  676
3 files modified
86 ■■■■■ changed files
opends/resource/config/config.ldif 30 ●●●●● patch | view | raw | blame | history
opends/src/server/org/opends/server/extensions/SaltedSHA512PasswordStorageScheme.java 52 ●●●●● patch | view | raw | blame | history
opends/src/server/org/opends/server/tools/ConfigureDS.java 4 ●●●● patch | view | raw | blame | history 
 opends/resource/config/config.ldif


@@ -849,6 +849,33 @@


ds-cfg-require-secure-password-changes: false


ds-cfg-skip-validation-for-administrators: false




dn: cn=Root Password Policy,cn=Password Policies,cn=config


objectClass: top


objectClass: ds-cfg-password-policy


cn: Root Password Policy


ds-cfg-password-attribute: userPassword


ds-cfg-default-password-storage-scheme: SSHA512


ds-cfg-allow-expired-password-changes: false


ds-cfg-allow-multiple-password-values: false


ds-cfg-allow-pre-encoded-passwords: false


ds-cfg-allow-user-password-changes: true


ds-cfg-expire-passwords-without-warning: false


ds-cfg-force-change-on-add: false


ds-cfg-force-change-on-reset: false


ds-cfg-grace-login-count: 0


ds-cfg-idle-lockout-interval: 0 seconds


ds-cfg-lockout-failure-count: 0


ds-cfg-lockout-duration: 0 seconds


ds-cfg-lockout-failure-expiration-interval: 0 seconds


ds-cfg-minimum-password-age: 0 seconds


ds-cfg-maximum-password-age: 0 seconds


ds-cfg-maximum-password-reset-age: 0 seconds


ds-cfg-password-expiration-warning-interval: 5 days


ds-cfg-password-change-requires-current-password: true


ds-cfg-require-secure-authentication: false


ds-cfg-require-secure-password-changes: false


ds-cfg-skip-validation-for-administrators: false




dn: cn=Password Storage Schemes,cn=config


objectClass: top


objectClass: ds-cfg-branch


@@ -998,11 +1025,12 @@


cn: Directory Manager


givenName: Directory


sn: Manager


userPassword: {SSHA}7SvN6HIPUPGr0YFd0NbRkoXWyWzHsOnEfUMyxg==


userPassword: {SSHA512}l1t43vVl7Uh03PpQ2vCsT0B7Q0HTi+tKJmH7tZTmSGaKrMHWHO1czfwEsjMgfbeQoiYQDGDuxolipR0H6ajMu1YHlTjPNG9Z


ds-cfg-alternate-bind-dn: cn=Directory Manager


ds-rlim-size-limit: 0


ds-rlim-time-limit: 0


ds-rlim-lookthrough-limit: 0


pwdPolicySubentry: cn=Root Password Policy,cn=Password Policies,cn=config




dn: cn=Root DSE,cn=config


objectClass: top




 opends/src/server/org/opends/server/extensions/SaltedSHA512PasswordStorageScheme.java


@@ -615,5 +615,57 @@


    // SHA-2 should be considered secure.


    return true;


  }








  /**


   * Generates an encoded password string from the given clear-text password.


   * This method is primarily intended for use when it is necessary to generate


   * a password with the server offline (e.g., when setting the initial root


   * user password).


   *


   * @param  passwordBytes  The bytes that make up the clear-text password.


   *


   * @return  The encoded password string, including the scheme name in curly


   *          braces.


   *


   * @throws  DirectoryException  If a problem occurs during processing.


   */


  public static String encodeOffline(byte[] passwordBytes)


         throws DirectoryException


  {


    byte[] saltBytes = new byte[NUM_SALT_BYTES];


    new SecureRandom().nextBytes(saltBytes);




    byte[] passwordPlusSalt = new byte[passwordBytes.length + NUM_SALT_BYTES];


    System.arraycopy(passwordBytes, 0, passwordPlusSalt, 0,


                     passwordBytes.length);


    System.arraycopy(saltBytes, 0, passwordPlusSalt, passwordBytes.length,


                     NUM_SALT_BYTES);




    MessageDigest messageDigest;


    try


    {


      messageDigest =


           MessageDigest.getInstance(MESSAGE_DIGEST_ALGORITHM_SHA_512);


    }


    catch (Exception e)


    {


      int msgID = MSGID_PWSCHEME_CANNOT_INITIALIZE_MESSAGE_DIGEST;


      String message = getMessage(msgID, MESSAGE_DIGEST_ALGORITHM_SHA_512,


                                  String.valueOf(e));


      throw new DirectoryException(ResultCode.OTHER, message, msgID, e);


    }






    byte[] digestBytes    = messageDigest.digest(passwordPlusSalt);


    byte[] digestPlusSalt = new byte[digestBytes.length + NUM_SALT_BYTES];


    System.arraycopy(digestBytes, 0, digestPlusSalt, 0, digestBytes.length);


    System.arraycopy(saltBytes, 0, digestPlusSalt, digestBytes.length,


                     NUM_SALT_BYTES);




    return "{" + STORAGE_SCHEME_NAME_SALTED_SHA_512 + "}" +


           Base64.encode(digestPlusSalt);


  }


}






 opends/src/server/org/opends/server/tools/ConfigureDS.java


@@ -39,7 +39,7 @@


import org.opends.server.core.DirectoryException;


import org.opends.server.core.DirectoryServer;


import org.opends.server.core.LockFileManager;


import org.opends.server.extensions.SaltedSHA1PasswordStorageScheme;


import org.opends.server.extensions.SaltedSHA512PasswordStorageScheme;


import org.opends.server.protocols.ldap.LDAPResultCode;


import org.opends.server.types.DN;


import org.opends.server.util.args.ArgumentException;


@@ -441,7 +441,7 @@




          byte[] rootPWBytes = getBytes(rootPW);


          String encodedPassword =


               SaltedSHA1PasswordStorageScheme.encodeOffline(rootPWBytes);


               SaltedSHA512PasswordStorageScheme.encodeOffline(rootPWBytes);


          StringConfigAttribute bindPWAttr =


               new StringConfigAttribute(ATTR_USER_PASSWORD, "", false, false,


                                         false, encodedPassword);