1

In a Spring Boot 2 project I use the bcrypt password encoder to authenticate users against LDAP directory. The passwords are stored in the LDIF file, hence in the directory, in a hashed form, with bcrypt. In order to determine the hash for each password that I need to store in the LDIF file, such that to be loaded in the directory, I'm using this generator: https://bcrypt-generator.com.

So, I generate the hashes for the users passwords and I store the generated values in the LDIF file. Then, I'm trying to perform authentication using the Spring LDAP password compare. But the authentication fails as Spring and the mentioned site calculate a different bcrypt hash for the same password.

Using the hash one calculated by the Spring encode() function works, of course. So my questions are:

  1. How come using the same algorithm with the same input value and the same parameters, two implementations supposed to be equivalent provide different results ?
  2. How is one supposed to generate the hash values since Spring doesn't seem to provide any generator and the value generated by public generators don't match with the Spring calculated ones ?

Many thanks in advance.

Nicolas

  • An LDAP "compare" operation won't work since it requires an exact match and (as you observe) bcrypt will use a different salt each time and produce a different hash. I think your LDAP server would need to support bcrypt hashes natively for use with "bind" authentication. – Shaun the Sheep Sep 11 '19 at 12:26

1 Answers1

2

How come using the same algorithm with the same input value and the same parameters, two implementations supposed to be equivalent provide different results ?

It's normal for bcrypt to produce different output for the same input (see Bcrypt generates different hashes for the same input?, for example) so the different hashes are to be expected.

How is one supposed to generate the hash values since Spring doesn't seem to provide any generator

Spring Boot's CLI includes an encodepassword command that can be used to generate a bcrypt-encoded password:

$ spring encodepassword secret
{bcrypt}$2a$10$bhY3U6LEvbJ7DdWrcPqBu.vtLFPqDCgDGpTmyWrAVBcMANQzI/4Xy

https://bcrypt-generator.com reports a match for $2a$10$bhY3U6LEvbJ7DdWrcPqBu.vtLFPqDCgDGpTmyWrAVBcMANQzI/4Xy and secret.

Manuel Jordan
  • 15,253
  • 21
  • 95
  • 158
Andy Wilkinson
  • 108,729
  • 24
  • 257
  • 242
  • thanks for your reply. What kind of command is spring encodepassword ? How is one supposed to install it, from where, etc. as looking for it I didn't find anything. Kind regards, Nicolas –  Sep 06 '19 at 07:39
  • 1
    It's a command provided by Spring Boot's CLI. You can learn how to install the CLI in the [relevant section of the reference documentation](https://docs.spring.io/spring-boot/docs/2.1.7.RELEASE/reference/htmlsingle/#getting-started-installing-the-cli). – Andy Wilkinson Sep 06 '19 at 08:39