TDS - receive userPassword

Question

is it possible to get the User-Password from TDS in ClearText via java? With ldapsearch -v -D cn=root -w xxxxxx -s sub uid=testuser userPassword i'm getting the following result:

The password is in that case: Joko2014!

In Java i have tried it with:

String[] attrIDs = {".....",....,"userPassword"}
SearchControls ctls = new SearchControls();
ctls.setReturningAttributes(attrIDs);
ctls.setSearchScope(SearchControls.SUBTREE_SCOPE);

NamingEnumeration<SearchResult> results = ctx.search(name,
                        filter, ctls);

while (results.hasMore()) {
    SearchResult entry = results.next();
    System.out.println(entry);
}

But the output in the console is just:

uid=testuser: null:null:{givenname=givenName: xxxx, sn=sn: xxx, pwdchangedtime=pwdChangedTime: 20160926173016.000000Z, mail=mail: xxxxxx@xx.xxx.com, uid=uid: testuser, userpassword;binary=userPassword;binary: [B@1a626f, pwdreset=pwdReset: true, cn=cn: xxxx, description=description: xxxxxx;xxxxxx;I;xxxxxx}

What does "binary=userPassword;binary:[B@1a626f..." mean and how can i get the password here? Do i have to encode it? If yes, how can i solve it? Getting the other operational attributes are no problem.

Best Regards!

Not if the LDAP server is correctly configured. It should be hashing the passwords, which is a one-way process. If you haven't configured your server. see [here](http://stackoverflow.com/questions/2283937/how-should-i-ethically-approach-user-password-storage-for-later-plaintext-retrie/2287672#2287672) for why you should. — user207421, Sep 27 '16 at 10:06
Do you mean, if the server is correctly configured, the passwords can't be received or if it's correctly configured, i can? Is the Configuration via the "IBM Security Directory Server Web Administration Tool" possible? Because i really need to extract the passwords and to import them in another location again. — InfoEngi, Sep 27 '16 at 10:35
You cannot retrieve plaintext passwords if the OpenLDAP server is correctly configured. I don't know why you're talking about the IBM Security Directory Server Web Administration Tool when your question is about OpenLDAP. — user207421, Sep 27 '16 at 11:38
Well, it's not a OpenLdap - Server, it's a TDS - Server. And i am using the "IBM Security Directory Server Web Administration Tool" as GUI. But for searching or modifying, i am using ldapsearch or ldapmodify from openldap. — InfoEngi, Sep 27 '16 at 11:43
So **why is your question both titled and tagged OpenLDAP?** and why haven't you mentioned the actual server in your question? and tags? — user207421, Sep 27 '16 at 11:47
Sorry man! i have just written User-Password from TDS and using openldap. I thought that is enough... — InfoEngi, Sep 27 '16 at 12:00

score 0 · Answer 1 · answered Sep 27 '16 at 09:57

0

Once into the LDAP which is configured with HASH(PASSWORD+SALT) password storage (kind of default for userPassword property) it is not possible to retrieve the original password in clear text.

answered Sep 27 '16 at 09:57

Ironluca

3,402
4
25
32

Do you know, where i can see if it's configured with Hash (Password+Salt)? Maybe i can change it to receive the clear text passwords. – InfoEngi Sep 27 '16 at 10:38
It is usually a configuration option, I am not very well versed with OpenLDAP configuration, however, I think you could find the configuration options in OpenLDAP man pages/documentation – Ironluca Sep 27 '16 at 11:10
okay, i have found the option in TDS ...and in the "Manage security properties/Password encryption" is configured a AES256 - Encryption. But i don't understand i can see the password in clear text just with "ldapsearch -v -D cn=root -w xxxxxx -s sub uid=testuser userPassword" – InfoEngi Sep 27 '16 at 12:37
If the password is encrypted and not hashed, then the password in its orginal form is available (after hashing it is not). I guess since you are accessing as root you may be able to see the decrypted password, I guess that would be a behaviour of TDS. – Ironluca Sep 27 '16 at 12:43

score 0 · Answer 2 · edited May 23 '17 at 10:34

0

I found the following earlier Question LINK

Is that Approach right or possible? Because it doesnt work for, because it seems that userPassword is "null" Attribute userPassword = entry.getAttributes().get("userPassword");

"with ldap we will get data in byte array.if you need to get the original password text use the following code:" Attribute userPassword = attributes.get("userPassword"); String pwd = new String((byte[]) userPassword.get());

edited May 23 '17 at 10:34

Community

1
1

answered Sep 27 '16 at 11:37

InfoEngi

303
1
10
23

No it will not, once HASH(PASSWORD+SALT) you will get this value in the pwd string not the original user password – Ironluca Sep 27 '16 at 11:48

score 0 · Answer 3 · answered Jul 21 '20 at 17:43

I know this feels like necroposting but I recently made some research on TDS and I found some clue that might be useful for someone else. I can't help you with java because I'm not a developer but I can answer to your question about how is it possible that ldapsearch returned cleartext userPassword attribute.

This is the default TDS behavior, by default it uses a two-way encryption algorithm (AES256 as default) for encrypted attributes (such as userPassword), every access to these attribute decrypt the attribute value and returns a plaintext password.

Maybe in your java application you're using a different user to query TDS? You can check temporarily using cn=root.

TDS - receive userPassword

3 Answers3