[midPoint] Teaching LDAP resource to set CRYPT hashes

[pdbogen at cernu.us]

Hi, all.

No question, just a Helpful Thing that I figured out, in case others might 
find this useful. I managed to teach an LDAP resource to set a {CRYPT} hash, 
which is unfortunately not supported by the OpenICF LDAP connector.

CRYPT supports a few hash algorithms that are much better than the ones 
supported by OpenICF- namely (in some environments) bcrypt; and at least 
salted SHA-512. The best OpenICF can do is salted SHA-1.

I implemented this with a groovy expression as part of credential mapping- the 
mapping generates a salt, decrypts the password, and hashes them together 
using the Crypt library from Apache commons, which happens to already be 
available in this groovy environment. Here's the snippet:

  <credentials>
    <password>
      <outbound>
        <expression><script><code>
          import org.apache.commons.codec.digest.Crypt
          import java.security.SecureRandom
          if (input != null) {
            salt = new byte[8]
            new SecureRandom().nextBytes(salt)
            return '{CRYPT}' + new Crypt().crypt(basic.decrypt(input), '$6$' + salt.encodeHex())
          }
        </code></script></expression>
      </outbound>
    </password>
  </credentials>

(I don't promise that this is a "good" approach; but it certainly Works For 
Me™. If anyone has suggestions to improve it, I'd love to hear them!)

Hope this helps somebody,
-- 
             .
Patrick Bogen .
            ...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161014/51dc6b16/attachment.sig>