Crypto Support for LDAP Bind password

Avatar

Avatar

ClintLundmark

Avatar

ClintLundmark

ClintLundmark

06-10-2020

We use LDAP for authentication to the Author server. After configuring LDAP, the bind password used by the user to authenticate to the LDAP server is in plain text in the repository.  We we hoping to encrypt that password using Crypto Support but it does not seem to work.

 

We can encrypt using Web Console -> Main -> Crypto Support to come up with a hash.  We replace the password with that hash in the OSGI node configuration.  LDAP works fine until AEM is restarted.  After the restart the LDAP bind is no longer successful and LDAP no longer works. 

 

OSGI Config node:

 

/apps/system/config.author/org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider-<identifier> 

bind.password = {hash}

 

 

In the error log it shows:
06.10.2020 14:26:03.313 *ERROR* [qtp889165464-1425] org.apache.directory.ldap.client.api.DefaultLdapConnectionFactory unable to bind connection: 80090308: LdapErr: DSID-0C090442, comment: AcceptSecurityContext error, data 52e, v3839

 

I found an entry in this forum from 2015 that indicates the Crypto Support hash may not work with LDAP, but I am hopeful it has been resolved in the last 5 years.

 

https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/using-hashed-password-for-...

 

AEM 6.4.8.2

 

...

clint

Accepted Solutions (1)

Accepted Solutions (1)

Avatar

Avatar

ClintLundmark

Avatar

ClintLundmark

ClintLundmark

02-12-2020

This has been resolved with a call to technical support.  The environment in question was in-place upgraded from AEM 6.1 to AEM 6.4.  Starting in AEM 6.3 the Crypto Keys are stored in the file system by default.  Prior, the keys were stored in the repository.  Because this system was in-place upgraded, the keys stayed in the repository even though it is AEM 6.4.  Normally that is not a problem and the documentation indicates leaving them in the repository is just fine.  However there is at least one potential issue.

 

If the keys are in the JCR repository the Crypto system is read on system start AFTER the LDAP configuration is read.   Therefore the crypto system is not in place to decrypt the password for the purpose of the LDAP bind.  To fix the LDAP issue we moved the Crypto Keys to the file system.

 

Keys in repository  - /etc/key

Keys in file system - /crx-quickstart/launchpad/felix/bundle{id}/data

 

Here is a link on how to synchronize the keys.  It can also be used as a guideline to move them. 
https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/crypto-support-in-aem-sync...

 

Answers (0)