Security-related extended synchronization rules

The class SecurityUtils offers 3 methods, available from all Javascript contexts.

Hash (MD5 or SHA1)

To hash a value using MD5 or SHA1, you can call the **SecurityUtils.hash** method.

As an example, the following code will return the SHA1 hash of the string “phrase to hash”:

SecurityUtils.hash(SecurityUtils.HASH_SHA1, "phrase to hash")

Symmetric Encryption

Using a pre-generated key, you can encrypt or decrypt values using a two-way encryption algorithm.

General usage

All values passed to and returned from these fuctions are handled as base64 values, so they can be stored directly.


SecurityUtils.encrypt("something secret")


Options are set through Encryption options.

Creating a key

You can call a special method to create a key in the keypath configured above (or, by default, in “lsc.key” in the current configuration directory).

# cd /path/to/your/lsc/installation
# LSC_SEC_CP=""; for jar in lib/*.jar; do LSC_SEC_CP="$LSC_SEC_CP:$jar"; done
# java -cp $LSC_SEC_CP -f $PWD/etc

Using an external script to encrypt password

You can use bin/ script to compute the password in the same way that LSC do.

Available in trunk or from version 2.0.3

This script computes AES password, SSHA hash, search for a given user in a LDAP directory, and push the crypted password and the hash to this directory.

This case can be useful in conjunction with password filter hook (when synchronizing with Active Directory)

Microsoft / Samba LM/NT password hash

This feature offers a simple way to encrypt a string so that it can be store as a LanMan compatible password or a NT compatible password


SecurityUtils.computeSambaLMPassword("something secret")
SecurityUtils.computeSambaNTPassword("something more secret")


In some situations, it is necessary to install the “unrestricted policy files” for Java to be able to use 256 bit keys.

LSC expects the encoded password to be retrieved from LDAP base 64 encoded. So, if storing it using another tools, it must be base64 encoded before being inserted into LDAP.