How to retrieve LDAP password via JNDI

Question

I am able to read the password stored in LDAP via JNDI. But the result is some gibberish characters. So how do i decrypt it?

Below is my code:

public static void main(String[] args)
        {
            String INITCTX = "com.sun.jndi.ldap.LdapCtxFactory";
            String MY_HOST = "ldap://KhooGP-Comp1:1389";
            String MGR_DN = "cn=Directory Manager";
            String MGR_PW = "password";
            String MY_SEARCHBASE = "dc=QuizPortal";
            String MY_FILTER = "uid=yiwei";
            String MY_ATTRS[] = {"cn", "uid", "sn", "userpassword"};

            //Identify service provider to use
            Hashtable env = new Hashtable();
            env.put(Context.INITIAL_CONTEXT_FACTORY, INITCTX);
            env.put(Context.PROVIDER_URL, MY_HOST);

            env.put(Context.SECURITY_AUTHENTICATION, "simple");
            env.put(Context.SECURITY_PRINCIPAL, MGR_DN);
            env.put(Context.SECURITY_CREDENTIALS, MGR_PW);

            try
            {
                // Create the initial directory context
                InitialDirContext initialContext = new InitialDirContext(env);
                DirContext ctx = (DirContext)initialContext;

                System.out.println("Context Sucessfully Initialized");

                SearchControls constraints = new SearchControls();
                constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);

                NamingEnumeration results = ctx.search(MY_SEARCHBASE, MY_FILTER, constraints);

                while(results != null && results.hasMore())
                {
                    SearchResult sr = (SearchResult) results.next();
                    String dn = sr.getName() + "," + MY_SEARCHBASE;
                    System.out.println("Distinguished Name is " + dn);

                    Attributes ar = ctx.getAttributes(dn, MY_ATTRS);

                    if(ar == null)
                    {
                        System.out.println("Entry " + dn);
                        System.out.println(" has none of the specified attributes\n");
                    }
                    else
                    {
                        for(int i=0; i<MY_ATTRS.length; i++)
                        {
                            Attribute attr = ar.get(MY_ATTRS[i]);
                            System.out.println(MY_ATTRS[i] + ":");

                            for(Enumeration vals=attr.getAll(); vals.hasMoreElements();)
                            {
                                System.out.println("\t" + vals.nextElement());
                            }
                        }
                    }
                }
            }
            catch(Exception e)
            {
                System.err.println(e);
            }
    }

Below is the result:

    Distinguished Name is uid=yiwei,ou=Administrator,o=SID,dc=QuizPortal
    cn:
            yiwei huang
    uid:
            yiwei
    sn:
            huang
    userpassword:
            [B@1cd8669

Any advice?? Many thanks in advance

Kevin

Answer 1

What you're seeing ([B@1cd8669) is Java's way of saying "this is a byte array".

The stored "password" is most likely either a hash of the real password or an encrypted version. Cryptographic hashes are, by definition, non-reversible so you will not be able to see what the user's password is if LDAP stores the hash.

If it's encrypted then if you know the algorithm and the key it's fairly simple to decrypt. BouncyCastle is a great Java crypto library you can use to decrypt the password.

Basically, you need to know exactly what you're looking at, and that will depend on the LDAP setup.

Answer 2

with ldap we will get data in byte array.if you need to get the original password text use the
following code:

Attribute userPassword = attributes.get("userPassword");
String pwd = new String((byte[]) userPassword.get());