How to retrieve LDAP password via JNDI
Solution 1
What you're seeing ([B@1cd8669) is Java's way of saying "this is a byte array".
The stored "password" is most likely either a hash of the real password or an encrypted version. Cryptographic hashes are, by definition, non-reversible so you will not be able to see what the user's password is if LDAP stores the hash.
If it's encrypted then if you know the algorithm and the key it's fairly simple to decrypt. BouncyCastle is a great Java crypto library you can use to decrypt the password.
Basically, you need to know exactly what you're looking at, and that will depend on the LDAP setup.
Solution 2
with ldap we will get data in byte array.if you need to get the original password text use the
following code:
Attribute userPassword = attributes.get("userPassword");
String pwd = new String((byte[]) userPassword.get());
Related videos on Youtube
Nivek
Updated on June 04, 2022Comments
-
Nivek almost 2 years
I am able to read the password stored in LDAP via JNDI. But the result is some gibberish characters. So how do i decrypt it?
Below is my code:
public static void main(String[] args) { String INITCTX = "com.sun.jndi.ldap.LdapCtxFactory"; String MY_HOST = "ldap://KhooGP-Comp1:1389"; String MGR_DN = "cn=Directory Manager"; String MGR_PW = "password"; String MY_SEARCHBASE = "dc=QuizPortal"; String MY_FILTER = "uid=yiwei"; String MY_ATTRS[] = {"cn", "uid", "sn", "userpassword"}; //Identify service provider to use Hashtable env = new Hashtable(); env.put(Context.INITIAL_CONTEXT_FACTORY, INITCTX); env.put(Context.PROVIDER_URL, MY_HOST); env.put(Context.SECURITY_AUTHENTICATION, "simple"); env.put(Context.SECURITY_PRINCIPAL, MGR_DN); env.put(Context.SECURITY_CREDENTIALS, MGR_PW); try { // Create the initial directory context InitialDirContext initialContext = new InitialDirContext(env); DirContext ctx = (DirContext)initialContext; System.out.println("Context Sucessfully Initialized"); SearchControls constraints = new SearchControls(); constraints.setSearchScope(SearchControls.SUBTREE_SCOPE); NamingEnumeration results = ctx.search(MY_SEARCHBASE, MY_FILTER, constraints); while(results != null && results.hasMore()) { SearchResult sr = (SearchResult) results.next(); String dn = sr.getName() + "," + MY_SEARCHBASE; System.out.println("Distinguished Name is " + dn); Attributes ar = ctx.getAttributes(dn, MY_ATTRS); if(ar == null) { System.out.println("Entry " + dn); System.out.println(" has none of the specified attributes\n"); } else { for(int i=0; i<MY_ATTRS.length; i++) { Attribute attr = ar.get(MY_ATTRS[i]); System.out.println(MY_ATTRS[i] + ":"); for(Enumeration vals=attr.getAll(); vals.hasMoreElements();) { System.out.println("\t" + vals.nextElement()); } } } } } catch(Exception e) { System.err.println(e); } } Below is the result: Distinguished Name is uid=yiwei,ou=Administrator,o=SID,dc=QuizPortal cn: yiwei huang uid: yiwei sn: huang userpassword: [B@1cd8669
Any advice?? Many thanks in advance
Kevin
-
user207421 over 13 yearsWhat exactly is the purpose of retrieving the password? This violates basic security practices.
-