You are here

Obtaining Luminis users password in Java program

Submitted by prakassh on Thu, 01/10/2013 - 12:32


Is there a way to programmatically (in Java code) get a Luminis user’s password from the Luminis LDAP? And if so, what format will that password be in – will it be encoded or clear text?We’d like to do something similar to this: String userLogin = (String)personInfo.getAttribute("urn:sungardhe:dir:loginId");

Our intention is to use the user’s name and password to authenticate against a remote webservice.


Luminis Version:

I don't know of a way to get a user's password, short of capturing them at the time of login. But it is a better practice to do some form of pass-through authentication rather than a user/pass login to the web service, if possible.

Even if the web service vendor doesn't have a means to connect to your ldap, or offers something like CAS, you can usually work with them to do some form of a trusted 'handshake' (if coming from your site, if a hashed shared secret is passed, if if if, etc.., let the user in with no password).

The short answer is no. The passwords are salted and hashed, so there is no computationally feasible way to recover the password. You could always brute force it, but that's not realistic for a large portion of users (not to mention the potential privacy issues involved). In short, there is no good reason an application needs to be able to decrypt the user's password.

That said, there are plenty of reasons somebody may need to send the password to another system. Optimally, external systems will provide SSO mechanisms (CAS, hashed MACs, etc.), but that's not always the case. If the external system has such a mechnism, I highly suggest going with that. Avoid sending a user's password whenever possible (especially if it really is a "external" system - i.e. your institution doesn't control it).

If that's not possible, then I suggest looking into CPIP and GCF for your solutions. This will allow you to send the user's current login information and password to a system. This works as it retains the credentials from the login. You could also try to capture the login credentials yourself, but this has additional security concerns as well.