Package org.opends.server.extensions
Class CryptPasswordStorageScheme
java.lang.Object
org.opends.server.api.PasswordStorageScheme<CryptPasswordStorageSchemeCfg>
org.opends.server.extensions.CryptPasswordStorageScheme
- All Implemented Interfaces:
ConfigurationChangeListener<CryptPasswordStorageSchemeCfg>
public final class CryptPasswordStorageScheme
extends PasswordStorageScheme<CryptPasswordStorageSchemeCfg>
implements ConfigurationChangeListener<CryptPasswordStorageSchemeCfg>
This class defines a Directory Server password storage scheme based on the UNIX Crypt algorithm. This is a legacy
one-way digest algorithm intended only for situations where passwords have not yet been updated to modern hashes such
as SHA-1 and friends. This implementation does perform weak salting, which means that it is more vulnerable to
dictionary attacks than schemes with larger salts.
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionapplyConfigurationChange
(CryptPasswordStorageSchemeCfg configuration) Applies the configuration changes to this change listener.encodePassword
(ByteString plaintext) Encodes the provided plaintext password for this storage scheme, without the name of the associated scheme.Retrieves the name of the password storage scheme provided by this handler.void
initializePasswordStorageScheme
(CryptPasswordStorageSchemeCfg configuration, ServerContext serverContext) Initializes this password storage scheme handler based on the information in the provided configuration entry.boolean
isConfigurationAcceptable
(CryptPasswordStorageSchemeCfg configuration, List<LocalizableMessage> unacceptableReasons) Indicates whether the provided configuration is acceptable for this password storage scheme.boolean
isConfigurationChangeAcceptable
(CryptPasswordStorageSchemeCfg configuration, List<LocalizableMessage> unacceptableReasons) Indicates whether the proposed change to the configuration is acceptable to this change listener.boolean
Indicates whether this password storage scheme should be considered "secure".boolean
passwordMatches
(ByteString plaintextPassword, ByteString storedPassword) Indicates whether the provided plaintext password included in a bind request matches the given stored value.Methods inherited from class org.opends.server.api.PasswordStorageScheme
authPasswordMatches, destroySilently, encodeAuthPassword, encodePasswordWithScheme, finalizePasswordStorageScheme, getAuthPasswordPlaintextValue, getAuthPasswordSchemeName, getPlaintextValue, isRehashNeeded, isReversible, supportsAuthPasswordSyntax
-
Constructor Details
-
CryptPasswordStorageScheme
public CryptPasswordStorageScheme()
-
-
Method Details
-
initializePasswordStorageScheme
public void initializePasswordStorageScheme(CryptPasswordStorageSchemeCfg configuration, ServerContext serverContext) Description copied from class:PasswordStorageScheme
Initializes this password storage scheme handler based on the information in the provided configuration entry. It should also register itself with the Directory Server for the particular storage scheme that it will manage.- Specified by:
initializePasswordStorageScheme
in classPasswordStorageScheme<CryptPasswordStorageSchemeCfg>
- Parameters:
configuration
- The configuration entry that contains the information to use to initialize this password storage scheme handler.serverContext
- The server context
-
getStorageSchemeName
Description copied from class:PasswordStorageScheme
Retrieves the name of the password storage scheme provided by this handler.- Specified by:
getStorageSchemeName
in classPasswordStorageScheme<CryptPasswordStorageSchemeCfg>
- Returns:
- The name of the password storage scheme provided by this handler.
-
encodePassword
Description copied from class:PasswordStorageScheme
Encodes the provided plaintext password for this storage scheme, without the name of the associated scheme. Note that the provided plaintext password should not be altered in any way.- Specified by:
encodePassword
in classPasswordStorageScheme<CryptPasswordStorageSchemeCfg>
- Parameters:
plaintext
- The plaintext version of the password.- Returns:
- The password that has been encoded using this storage scheme.
- Throws:
LdapException
- If a problem occurs while processing.
-
passwordMatches
Description copied from class:PasswordStorageScheme
Indicates whether the provided plaintext password included in a bind request matches the given stored value. The provided stored value should not include the scheme name in curly braces.- Specified by:
passwordMatches
in classPasswordStorageScheme<CryptPasswordStorageSchemeCfg>
- Parameters:
plaintextPassword
- The plaintext password provided by the user as part of a simple bind attempt.storedPassword
- The stored password to compare against the provided plaintext password.- Returns:
true
if the provided plaintext password matches the provided stored password, orfalse
if not.
-
isStorageSchemeSecure
public boolean isStorageSchemeSecure()Description copied from class:PasswordStorageScheme
Indicates whether this password storage scheme should be considered "secure". If the encoding used for this scheme does not obscure the value at all, or if it uses a method that is trivial to reverse (e.g., base64), then it should not be considered secure.
This may be used to determine whether a password may be included in a set of search results, including the possibility of overriding access controls in the case that access controls would allow the password to be returned but the password is considered too insecure to reveal.- Specified by:
isStorageSchemeSecure
in classPasswordStorageScheme<CryptPasswordStorageSchemeCfg>
- Returns:
false
if it may be trivial to discover the original plain-text password from the encoded form, ortrue
if the scheme offers sufficient protection that revealing the encoded password will not easily reveal the corresponding plain-text value.
-
isConfigurationAcceptable
public boolean isConfigurationAcceptable(CryptPasswordStorageSchemeCfg configuration, List<LocalizableMessage> unacceptableReasons) Description copied from class:PasswordStorageScheme
Indicates whether the provided configuration is acceptable for this password storage scheme. It should be possible to call this method on an uninitialized password storage scheme instance in order to determine whether the password storage scheme would be able to use the provided configuration.- Overrides:
isConfigurationAcceptable
in classPasswordStorageScheme<CryptPasswordStorageSchemeCfg>
- Parameters:
configuration
- The password storage scheme configuration for which to make the determination.unacceptableReasons
- A list that may be used to hold the reasons that the provided configuration is not acceptable.- Returns:
true
if the provided configuration is acceptable for this password storage scheme, orfalse
if not.
-
isConfigurationChangeAcceptable
public boolean isConfigurationChangeAcceptable(CryptPasswordStorageSchemeCfg configuration, List<LocalizableMessage> unacceptableReasons) Description copied from interface:ConfigurationChangeListener
Indicates whether the proposed change to the configuration is acceptable to this change listener.- Specified by:
isConfigurationChangeAcceptable
in interfaceConfigurationChangeListener<CryptPasswordStorageSchemeCfg>
- Parameters:
configuration
- The new configuration containing the changes.unacceptableReasons
- A list that can be used to hold messages about why the provided configuration is not acceptable.- Returns:
- Returns
true
if the proposed change is acceptable, orfalse
if it is not.
-
applyConfigurationChange
Description copied from interface:ConfigurationChangeListener
Applies the configuration changes to this change listener.- Specified by:
applyConfigurationChange
in interfaceConfigurationChangeListener<CryptPasswordStorageSchemeCfg>
- Parameters:
configuration
- The new configuration containing the changes.- Returns:
- Returns information about the result of changing the configuration.
-