Log in

No account? Create an account
LDAP hashed passwords and ColdFusion - Nick [entries|archive|friends|userinfo]

[ website | gagravarr.org ]
[ userinfo | livejournal userinfo ]
[ archive | journal archive ]

LDAP hashed passwords and ColdFusion [Aug. 4th, 2004|02:20 pm]
Today, I finished getting one of our ColdFusion based systems using LDAP for authentication. It wasn't actually very difficult, until I came to converting the change password code.

After a few readings of the appropriate RFCs, I found out that the userPassword field is of the form "{hashing algorithm}base64 encoding of hash". If it's a salted algorithm (eg SSHA), then you hash the password followed by the salt, then add the salt after the hash, then base64 encode all of that.

Then the problem came - how do I turn a password string in ColdFusion into the above format, so I can stuff it into an LDAP modify? To start, you need a copy of SecurityLib from cflib.org. The sha() and md5() methods in that library returns a string of the hex encoded version of the hash. You then have to turn that hex encoded version into characters, then base64 encode that, then add the {SHA} / {MD5} to the start, before finally using that. The following code should handle it for you:

<cfinclude template="SecurityLib.cfm">
<!--- Generate the hex version of the SHA1 of the password --->
<cfset hash_password_hex = sha1(form.new_password_1)>

<!--- Loop over the hex pairs, and produce the iso-8859-1 characters they represent --->
<cfset hash_password_chrs = "">
<cfloop from="1" to="#len(hash_password_hex)-1#" index="i" step="2">
        <cfset these_two = mid(hash_password_hex,i,2)>
        <cfset num_these_two = InputBaseN(lcase(these_two),16)>
        <cfset hash_password_chrs = hash_password_chrs & chr(num_these_two)>
<!--- base64 encode those characters, and chuck on a {SHA} --->
<cfset hash_password_base64 = "{SHA}" & ToBase64(hash_password_chrs,"iso-8859-1")>