|
If you were logged in you would be able to see more operations.
|
|
|
|
Issue Links:
|
Reference
|
|
This issue relates to:
|
|
|
DIRSERVER-289 Configure an optional password message digest algorithm which is applied on userPassword attribute values at add and modify operations.
|
|
|
|
|
|
|
|
| Resolution Date: |
18/Jan/06 02:14 AM
|
|
Because the admin user is allowed to see everything, I suggest to store the attribute values for user password other than in clear. I nice solution would be to make this configurable (other server products allow comparable functionality):
* Configure a hash function to use for password storage (e.g. MD5, SSHA, ...)
* Allow clients to store the value as a hashed value on their own as well (calculated with a function other than the configured one, if they like)
* Enable simple bind with value in clear text (hash value calculated within the server and compared against the stored value)
* Still allow clear passwords, because some authentication mechanisms need this (e.g. DIGEST-MD5)
Hashed values does not add that much security, but at least is is harder for admin to catch a password and commit it to his/her memory.
Some products even allow to encrypt the password (two-way), but I think the features above should do for the first run.
|
|
Description
|
Because the admin user is allowed to see everything, I suggest to store the attribute values for user password other than in clear. I nice solution would be to make this configurable (other server products allow comparable functionality):
* Configure a hash function to use for password storage (e.g. MD5, SSHA, ...)
* Allow clients to store the value as a hashed value on their own as well (calculated with a function other than the configured one, if they like)
* Enable simple bind with value in clear text (hash value calculated within the server and compared against the stored value)
* Still allow clear passwords, because some authentication mechanisms need this (e.g. DIGEST-MD5)
Hashed values does not add that much security, but at least is is harder for admin to catch a password and commit it to his/her memory.
Some products even allow to encrypt the password (two-way), but I think the features above should do for the first run. |
Show » |
| There are no subversion log entries for this issue yet.
|
|
New Feature
Closed
Blocker
