LDAP Synchronization Connector project Logo

Working principles

  • About LSC
  • LSC basics

Installation

  • Requirements
  • Installation
  • Upgrade from 2.1

Configuration

  • Configuration
  • Notation conventions
  • General overview of the lsc.xml file
  • Connections
  • LDAP connection (ldapConnection)
  • Database connection (databaseConnection)
  • General task options
  • Services
  • Database source service
  • LDAP source service
  • Event based LDAP source service
  • Database destination service
  • LDAP destination service
  • Synchronization Rules
  • Extended synchronization rules for LDAP
  • Extended synchronization rules for Active Directory
  • Security-related extended synchronization rules
    • Hash (MD5 or SHA1)
    • Symmetric Encryption
      • General usage
      • Configuration
      • Creating a key
      • Using an external script to encrypt password
    • Microsoft / Samba LM/NT password hash
      • Notes
  • Handling sequences for synchronization rules
  • Encryption options
  • Database definition with Ibatis
  • XML persistence map
  • Managing output format through LogBack
  • Scripting

Usage

  • Quickstart
  • Run LSC
  • Using plugins
  • Monitoring

Howtos and tutorials

  • Synchronizing to/from Active Directory
  • SSL/TLS activation
  • HSQLDB
  • Kerberos (GSSAPI)
  • Populating Active Directory from OpenLDAP
  • Synchronize from CSV to LDAP directory
  • Synchronize OpenLDAP groups to Active Directory groups
  • Synchronize posixGroup to groupOfNames
  • Convert recursive groups to flat groups
  • Use custom java package

Development

  • Development Documentation
  • Integrated Development Environment
  • How to make beautiful code in LSC?
  • Contributing
  • Releasing
  • Packaging
  • Develop your plugin
  • Embedding LSC
LDAP Synchronization Connector project
  • Security-related extended synchronization rules
  • View page source

Security-related extended synchronization rules

The class SecurityUtils offers 3 methods, available from all Javascript contexts.

Hash (MD5 or SHA1)

To hash a value using MD5 or SHA1, you can call the **SecurityUtils.hash** method.

As an example, the following code will return the SHA1 hash of the string “phrase to hash”:

SecurityUtils.hash(SecurityUtils.HASH_SHA1, "phrase to hash")

Symmetric Encryption

Using a pre-generated key, you can encrypt or decrypt values using a two-way encryption algorithm.

General usage

All values passed to and returned from these fuctions are handled as base64 values, so they can be stored directly.

Example:

SecurityUtils.encrypt("something secret")
SecurityUtils.decrypt(srcBean.getDatasetFirstValueById("encryptedAttribute"))

Configuration

Options are set through Encryption options.

Creating a key

You can call a special method to create a key in the keypath configured above (or, by default, in lsc.key in the current configuration directory).

cd /path/to/your/lsc/installation
LSC_SEC_CP=""; for jar in lib/*.jar; do LSC_SEC_CP="$LSC_SEC_CP:$jar"; done
java -cp $LSC_SEC_CP org.lsc.utils.security.SymmetricEncryption -f $PWD/etc

Using an external script to encrypt password

You can use bin/passwordhk.pl script to compute the password in the same way that LSC do.

Note

Available in trunk or from version 2.0.3

This script computes AES password, SSHA hash, search for a given user in a LDAP directory, and push the crypted password and the hash to this directory.

This case can be useful in conjunction with password filter hook (when synchronizing with Active Directory)

Microsoft / Samba LM/NT password hash

This feature offers a simple way to encrypt a string so that it can be stored as a LanMan compatible password or a NT compatible password

Example:

SecurityUtils.computeSambaLMPassword("something secret")
SecurityUtils.computeSambaNTPassword("something more secret")

Notes

In some situations, it is necessary to install the “unrestricted policy files” for Java to be able to use 256 bit keys.

LSC expects the encoded password to be retrieved from LDAP base 64 encoded. So, if storing it using another tools, it must be base64 encoded before being inserted into LDAP.

Previous Next

© Copyright 2023, LSC Team.

Built with Sphinx using a theme provided by Read the Docs.