From 6f91bc2c31715fd0ad447eafe8c0a256a7b30be9 Mon Sep 17 00:00:00 2001
From: neil_a_wilson <neil_a_wilson@localhost>
Date: Wed, 20 Sep 2006 22:09:30 +0000
Subject: [PATCH] Add a new password policy for root users to isolate them from changes to the default policy and to make it more obvious that root users are subject to password policy enforcement.  The new password policy is the same as the default policy with the following exceptions:

---
 opendj-sdk/opends/src/server/org/opends/server/extensions/SaltedSHA512PasswordStorageScheme.java |   52 ++++++++++++++++++++++++++
 opendj-sdk/opends/src/server/org/opends/server/tools/ConfigureDS.java                            |    4 +-
 opendj-sdk/opends/resource/config/config.ldif                                                    |   32 +++++++++++++++-
 3 files changed, 84 insertions(+), 4 deletions(-)

diff --git a/opendj-sdk/opends/resource/config/config.ldif b/opendj-sdk/opends/resource/config/config.ldif
index 1e3f59c..e105985 100644
--- a/opendj-sdk/opends/resource/config/config.ldif
+++ b/opendj-sdk/opends/resource/config/config.ldif
@@ -824,7 +824,7 @@
 dn: cn=Default Password Policy,cn=Password Policies,cn=config
 objectClass: top
 objectClass: ds-cfg-password-policy
-cn: Default PasswordPolicy
+cn: Default Password Policy
 ds-cfg-password-attribute: userPassword
 ds-cfg-default-password-storage-scheme: SSHA
 ds-cfg-allow-expired-password-changes: false
@@ -849,6 +849,33 @@
 ds-cfg-require-secure-password-changes: false
 ds-cfg-skip-validation-for-administrators: false
 
+dn: cn=Root Password Policy,cn=Password Policies,cn=config
+objectClass: top
+objectClass: ds-cfg-password-policy
+cn: Root Password Policy
+ds-cfg-password-attribute: userPassword
+ds-cfg-default-password-storage-scheme: SSHA512
+ds-cfg-allow-expired-password-changes: false
+ds-cfg-allow-multiple-password-values: false
+ds-cfg-allow-pre-encoded-passwords: false
+ds-cfg-allow-user-password-changes: true
+ds-cfg-expire-passwords-without-warning: false
+ds-cfg-force-change-on-add: false
+ds-cfg-force-change-on-reset: false
+ds-cfg-grace-login-count: 0
+ds-cfg-idle-lockout-interval: 0 seconds
+ds-cfg-lockout-failure-count: 0
+ds-cfg-lockout-duration: 0 seconds
+ds-cfg-lockout-failure-expiration-interval: 0 seconds
+ds-cfg-minimum-password-age: 0 seconds
+ds-cfg-maximum-password-age: 0 seconds
+ds-cfg-maximum-password-reset-age: 0 seconds
+ds-cfg-password-expiration-warning-interval: 5 days
+ds-cfg-password-change-requires-current-password: true
+ds-cfg-require-secure-authentication: false
+ds-cfg-require-secure-password-changes: false
+ds-cfg-skip-validation-for-administrators: false
+
 dn: cn=Password Storage Schemes,cn=config
 objectClass: top
 objectClass: ds-cfg-branch
@@ -998,11 +1025,12 @@
 cn: Directory Manager
 givenName: Directory
 sn: Manager
-userPassword: {SSHA}7SvN6HIPUPGr0YFd0NbRkoXWyWzHsOnEfUMyxg==
+userPassword: {SSHA512}l1t43vVl7Uh03PpQ2vCsT0B7Q0HTi+tKJmH7tZTmSGaKrMHWHO1czfwEsjMgfbeQoiYQDGDuxolipR0H6ajMu1YHlTjPNG9Z
 ds-cfg-alternate-bind-dn: cn=Directory Manager
 ds-rlim-size-limit: 0
 ds-rlim-time-limit: 0
 ds-rlim-lookthrough-limit: 0
+pwdPolicySubentry: cn=Root Password Policy,cn=Password Policies,cn=config
 
 dn: cn=Root DSE,cn=config
 objectClass: top
diff --git a/opendj-sdk/opends/src/server/org/opends/server/extensions/SaltedSHA512PasswordStorageScheme.java b/opendj-sdk/opends/src/server/org/opends/server/extensions/SaltedSHA512PasswordStorageScheme.java
index f1b4ee9..0c76c4f 100644
--- a/opendj-sdk/opends/src/server/org/opends/server/extensions/SaltedSHA512PasswordStorageScheme.java
+++ b/opendj-sdk/opends/src/server/org/opends/server/extensions/SaltedSHA512PasswordStorageScheme.java
@@ -615,5 +615,57 @@
     // SHA-2 should be considered secure.
     return true;
   }
+
+
+
+  /**
+   * Generates an encoded password string from the given clear-text password.
+   * This method is primarily intended for use when it is necessary to generate
+   * a password with the server offline (e.g., when setting the initial root
+   * user password).
+   *
+   * @param  passwordBytes  The bytes that make up the clear-text password.
+   *
+   * @return  The encoded password string, including the scheme name in curly
+   *          braces.
+   *
+   * @throws  DirectoryException  If a problem occurs during processing.
+   */
+  public static String encodeOffline(byte[] passwordBytes)
+         throws DirectoryException
+  {
+    byte[] saltBytes = new byte[NUM_SALT_BYTES];
+    new SecureRandom().nextBytes(saltBytes);
+
+    byte[] passwordPlusSalt = new byte[passwordBytes.length + NUM_SALT_BYTES];
+    System.arraycopy(passwordBytes, 0, passwordPlusSalt, 0,
+                     passwordBytes.length);
+    System.arraycopy(saltBytes, 0, passwordPlusSalt, passwordBytes.length,
+                     NUM_SALT_BYTES);
+
+    MessageDigest messageDigest;
+    try
+    {
+      messageDigest =
+           MessageDigest.getInstance(MESSAGE_DIGEST_ALGORITHM_SHA_512);
+    }
+    catch (Exception e)
+    {
+      int msgID = MSGID_PWSCHEME_CANNOT_INITIALIZE_MESSAGE_DIGEST;
+      String message = getMessage(msgID, MESSAGE_DIGEST_ALGORITHM_SHA_512,
+                                  String.valueOf(e));
+      throw new DirectoryException(ResultCode.OTHER, message, msgID, e);
+    }
+
+
+    byte[] digestBytes    = messageDigest.digest(passwordPlusSalt);
+    byte[] digestPlusSalt = new byte[digestBytes.length + NUM_SALT_BYTES];
+    System.arraycopy(digestBytes, 0, digestPlusSalt, 0, digestBytes.length);
+    System.arraycopy(saltBytes, 0, digestPlusSalt, digestBytes.length,
+                     NUM_SALT_BYTES);
+
+    return "{" + STORAGE_SCHEME_NAME_SALTED_SHA_512 + "}" +
+           Base64.encode(digestPlusSalt);
+  }
 }
 
diff --git a/opendj-sdk/opends/src/server/org/opends/server/tools/ConfigureDS.java b/opendj-sdk/opends/src/server/org/opends/server/tools/ConfigureDS.java
index 793789a..6d781df 100644
--- a/opendj-sdk/opends/src/server/org/opends/server/tools/ConfigureDS.java
+++ b/opendj-sdk/opends/src/server/org/opends/server/tools/ConfigureDS.java
@@ -39,7 +39,7 @@
 import org.opends.server.core.DirectoryException;
 import org.opends.server.core.DirectoryServer;
 import org.opends.server.core.LockFileManager;
-import org.opends.server.extensions.SaltedSHA1PasswordStorageScheme;
+import org.opends.server.extensions.SaltedSHA512PasswordStorageScheme;
 import org.opends.server.protocols.ldap.LDAPResultCode;
 import org.opends.server.types.DN;
 import org.opends.server.util.args.ArgumentException;
@@ -441,7 +441,7 @@
 
           byte[] rootPWBytes = getBytes(rootPW);
           String encodedPassword =
-               SaltedSHA1PasswordStorageScheme.encodeOffline(rootPWBytes);
+               SaltedSHA512PasswordStorageScheme.encodeOffline(rootPWBytes);
           StringConfigAttribute bindPWAttr =
                new StringConfigAttribute(ATTR_USER_PASSWORD, "", false, false,
                                          false, encodedPassword);

--
Gitblit v1.10.0