SSHA encoded password verification fails with Apache Directory Server

[rubin55]

trafficstars

I'm in the process of learning various new Spring components and to that effect, I was doing the Spring LDAP guide here: https://spring.io/guides/gs/authenticating-ldap/ .

To make it more interesting, I wanted to talk to Apache Directory Server (which I installed from the zip distribution of ApacheDS 2.0.0-M23).

I succeeded eventually, but I think I may have uncovered a bug in the verification of Salted SHA (SSHA) encoded userPasswords, which I think happens here:

org.springframework.security.authentication.encoding.LdapShaPasswordEncoder

I've shared my project here: https://github.com/rubin55/spring-foo

To reproduce:

1: Set up ApacheDS, installed from the zip distribution and turn it on 2: Install Apache Directory Studio, connect, and load the two ldifs from my github page 3: git clone [email protected]:rubin55/spring-foo.git 4: mvn spring-boot:run the above mentioned github project 5: goto http://localhost:8080/ 6: try to login with user freek (password: otherpassword): Fails because SSHA encoded 7: try to login with user rubin (password: somepassword): Succeeds, password = SHA encoded

Note: I've added a logback.xml setup so spring security and spring ldap are a bit more verbose about what's going on. All I've been able to gather though, is that LdapShaPasswordEncoder fails to verify the password when it is presented with the SSHA hashed version.

[roemdo]

I am also facing this issue. Can someone confirm that this is a bug and not some configuration issue? Has anybody faced this with some other ldap server? I am using M20 version of 2.0.0 apache ds