Get decrypted LDAP pwdhistory values using Java

Question

        String[] userAttrList = {"cn", "sn","pwdHistory}; 
        SearchResult searchResult = lc.search(baseDN, SearchScope.SUB, searchFilter, userAttrList);
        List<SearchResultEntry> result = searchResult.getSearchEntries();
        for (SearchResultEntry sre : result) {
            value = sre.getAttributeValue("pwdHistory");
            System.out.println(sre.getAttributeValue("pwdHistory")); 
            return value; }

I'm using unboundidsdk to get the user's details from LDAP.

Attribute(name=cn, values={'Test User'}), Attribute(name=sn, values={'User'}), Attribute(name=pwdHistory, values={'20150902093503Z#2.5.4.35#32#{AES256}33243DD8jnwa8a8asbaaa==', '20150903091818Z#2.5.4.35#32#{AES256}PJiYUi+ssasassasaasa==', '20150902090417Z#2.5.4.35#32#{AES256}asasasAAA222221211221=='})}, controls={})]

I get the password history in the LDAP default encrypted form.

Is there an API available to get it in a decrypted format?

score -1 · Answer 1 · answered Sep 24 '15 at 10:59

-1

get decrypted pwdHistory values

You can't, because they aren't encrypted is the first place. They are hashed.

Any system that allows you to retreive passwords in plaintext is ill-designed. OpenLDAP isn't one of them.

answered Sep 24 '15 at 10:59

user207421

305,947
44
307
483

I get an AES256 value (which is a symmetric encryption algo) and it can be decrypted no? I was wondering if LDAP has that feature. The reason I believe this is possible is because I get the "userPassword" attribute in plaintext when I query using a root user. I was told by the LDAP guys that the userPassword is encrypted but I get it in plain text because I'm fetching it as as root user. It strangely didn't apply for the password history though. – dozer Sep 24 '15 at 11:13
It is a choice. To say it is setup "wrong" is not correct. The configuration of using a non-hashed and even a plain text password storage scheme is valid. Though probably not the best practice. – jwilleke Sep 25 '15 at 12:12
@jeemster *Definitely*and *extremely* poor practice, and therefore wrong. See the commentary to the [password-encryption] tag and also [this answer](http://stackoverflow.com/a/2287672/207421) for why, although I would have assumed you already know these things. Introducing company-breaking legal liabilities into computer systems is wrong. – user207421 Sep 26 '15 at 23:04

Get decrypted LDAP pwdhistory values using Java

1 Answers1