在LDAP中存储密码重置问题

I want to store answers to password reset questions in LDAP. I know that the answers should be hashed with a salt. I would like insight into the following:

我想在LDAP中存储密码重置问题的答案。我知道答案应该用盐来解决。我想深入了解以下内容:

What attributeClass should we use?

我们应该使用什么属性类?

Is it possible to get the LDAP server to perform the hashing operations?

是否可以让LDAP服务器执行散列操作?

Is there a way to use the LDAP compare operation if the container doesn't expose how it performs hashing?

如果容器没有公开它执行散列的方式,有没有办法使用LDAP比较操作?

Does the answer vary depending on which directory service vendor you go with?

答案会根据您使用的目录服务供应商而有所不同吗?

Is it possible to extend the password attributeClass for this purpose?

是否可以为此目的扩展密码attributeClass?

4 个解决方案

#1

I have looked for such functionality in Sun Directory Server but was not able to find it. I ended up implementing it in my client code (by using java.security.MessageDigest if I remember correctly). It wasn't much work, but I would have prefered it to be handled by the server.

我在Sun Directory Server中查找过此类功能,但无法找到它。我最终在我的客户端代码中实现它(如果我没记错的话,使用java.security.MessageDigest)。这项工作并不多,但我希望它能够由服务器处理。

UPDATE

Oracle Internet Directory 11g supports hashing attributes: http://download.oracle.com/docs/cd/E17904_01/oid.1111/e10029/data_privacy.htm#BABFFHIH

Oracle Internet Directory 11g支持散列属性:http://download.oracle.com/docs/cd/E17904_01/oid.1111/e10029/data_privacy.htm#BABFFHIH

#2

Just an Idea that might be totally off, why not have a duplicate account of each user where the password is the answer to the secret question?
This way you won't have to think about hashing/salt/encryption and to validate the answer you will call the logon user API.
Those duplicate users of course will belong to a very limited security groups.

只是一个可能完全关闭的想法,为什么没有一个重复的帐户,每个用户的密码是秘密问题的答案?这样您就不必考虑散列/加密/加密,并验证您将调用登录用户API的答案。那些重复的用户当然属于非常有限的安全组。

#3

It might be possible to define an attribute for the security question/answer using the syntax of an attribute that is subject to hashing/encryption, such as userPassword. This depends on the directory server product you are using.

可以使用受散列/加密的属性的语法(例如userPassword)为安全性问题/答案定义属性。这取决于您使用的目录服务器产品。

#4

Any directory-string attribute type (http://tools.ietf.org/html/rfc4517#page-8) can be used if you want to store the hashed/encrypted value as readable string, say, Base64-encoded. You could also store it in any octet string attribute type (http://tools.ietf.org/html/rfc4517#page-19).

如果要将散列/加密值存储为可读字符串(例如,Base64编码),则可以使用任何目录字符串属性类型(http://tools.ietf.org/html/rfc4517#page-8)。您还可以将其存储在任何八位字节字符串属性类型中(http://tools.ietf.org/html/rfc4517#page-19)。

If the answers to the security questions need to be recovered or some leniency during verification (e.g., mixed/lower/upper case indifference) is needed, encryption may be a better option. It'd be preferable to have the middleware to do this too. Like Terry Gardner said, it depends on the directory server software you're using. For example, IBM Security Directory Server can be configured to encrypt the values of attributes. The encryption is done using the security elements specified during the installation of the software. The application doesn't have to do anything special. Novell, Red Hat, and Oracle/Sun Directory Server software also support encrypted attributes. I'm not an AD expert, but I think it doesn't support encrypted attributes. I think it's the same for OpenLDAP.

如果需要恢复安全问题的答案或者在验证期间需要一些宽大处理(例如,混合/低/大写无差异),则加密可能是更好的选择。最好还有中间件来做这件事。就像Terry Gardner所说,这取决于你正在使用的目录服务器软件。例如,可以将IBM Security Directory Server配置为加密属性值。使用在安装软件期间指定的安全元素完成加密。该应用程序不必做任何特殊的事情。 Novell,Red Hat和Oracle / Sun Directory Server软件也支持加密属性。我不是AD专家,但我认为它不支持加密属性。我认为OpenLDAP也是如此。

#1