Decrypt LDAP Credentials from Context Configuration file

[makymyspring]

Hi Folks,
My company doesn't allows us to put ldap credentials in clear text password in in spring context configuration file. Since we need to put the encrypted password, how can I control the LDAP Context to decrypt the password before doing any search operation. This is how my config file will look like:-
<beans>
<bean id="ldapcontext" class="org.springframework.ldap.core.support.LdapC ontextSource">
<property name="url" value="ldap://host.arcds.com:XXXX" />
<property name="base" value="dc=mycorp,dc=com" />
<property name="userName" value="cn=Directory Manager" />
<property name="password" value="encrypted password" />
<property name="pooled" value="true" />
</bean>
<bean id="ldapTemplate" class="org.springframework.ldap.core.LdapTemplate" >
<constructor-arg ref="ldapcontext" />
</bean>
<bean id="personDao" class="com.mycorp.ldap.dao.personDaoImpl">
<property name="ldapTemplate" ref="ldapTemplate" />
</bean>
</beans>

Since we are injecting the ldapcontext in our bean, how do I make my password decrypt before ldaptemplate binds with the LDAP for any search or CRUD operation.

Please help.
Thanks
Amit

[makymyspring]

anyone who can answer this? I don't think it should be that hard. I'm just new to whole spring concept.

[rasky]

What I would recommend is a custom AuthenticationSource implementation that performs the conversion. ContextSource asks an AuthenticationSource for the principal and credentials each time they are needed (i.e. before creating an authenticated Context). Look at AbstractContextSource.SimpleAuthenticationSource and AcegiAuthenticationSource for examples of what an AuthenticationSource implementation may look like.

Another way of doing it would be to subclass LdapContextSource and override setPassword() in that class to decrypt the password and call super.setPassword() with the decrypted value.

[makymyspring]

What I would recommend is a custom AuthenticationSource implementation that performs the conversion. ContextSource asks an AuthenticationSource for the principal and credentials each time they are needed (i.e. before creating an authenticated Context). Look at AbstractContextSource.SimpleAuthenticationSource and AcegiAuthenticationSource for examples of what an AuthenticationSource implementation may look like.

Another way of doing it would be to subclass LdapContextSource and override setPassword() in that class to decrypt the password and call super.setPassword() with the decrypted value.

Thanks. I would try the second one. That's just easy.

[gregturn]

Hi Folks,
My company doesn't allows us to put ldap credentials in clear text password in in spring context configuration file. Since we need to put the encrypted password, how can I control the LDAP Context to decrypt the password before doing any search operation. This is how my config file will look like:-

If your password is really encrypted, it is possible to decrypt. If it is hashed, then no chance. You need an alternative approach. I'm asking, because about every password system I know about uses hashing.

[makymyspring]

If your password is really encrypted, it is possible to decrypt. If it is hashed, then no chance. You need an alternative approach. I'm asking, because about every password system I know about uses hashing.

Thanks for responding. This is not about the user's credentials (or password) stored in LDAP, which is generally hasked. This is actually about the security principal that you use to connect to the LDAP. Our organization has a policy that no such credentials should be kept in plain text and has to be encrypted. So, now I'm going to have the encrypted password in my bean configuration file, which I then have to decrypt it using some key and then use the decrypted password to connect with LDAP.

I think easiest way is to just subclass LDAPContextSource. If you have any other better idea, please let me know.

[inemeth]

have you tried Jasypt?
http://www.jasypt.org/