|
Stefan Zoerner made changes - 28/Oct/05 08:12 AM
Any progress on this Stefan. I'd like to have this feature in the 1.0 RC1 so let me know how it's coming along. Thanks!
This is very important. I would not put an LDAP server into a production environement if passwords were in the clear even if I did have ACI to protect them. Just not a smart idea.
Alex Karasulu made changes - 07/Jan/06 07:01 PM
Here is the update you asked for:
The current 0.9.4 snapshot already contains an partial implementation of the requirements described in this issue. If a user entry contains a userpassword attribute with a digested (e.g. MD5) value, authentication is still possible (password in clear). This is due to changes in class org.apache.ldap.server.authn.SimpleAuthenticator made in November 2005. To be more concrete, if you add an entry like this (password is "beekeeper") dn: cn=Tori Amos,dc=example,dc=com objectclass: top objectclass: person sn: Amos cn: Tori Amos userpassword: {SHA}Bv4hld5bnIbFqp9CAnBEzQ/9ceo= The following works (Tori binds successfully): $ ldapsearch -D "cn=Tori Amos,dc=example,dc=com" -w beekeeper -p 10389 -b "dc=example,dc=com" -s one "(objectclass=*)" Only those algorithms which are supported by java.security.MessageDigest work properly. We have a contribution for a more extensible solution by Jacob S. Barrett, see DIRJANUS-28 for details. It is not included in the current code. Currently it is necessary to store the userpassword attribute "encrypted" on your own, in the form "{algorithm}BASE64VALUE". Some tools offer support for that (Softerra, JXplorer, ...). This is the missing part of the requirement. It would be nice to have a configurable interceptor which stores userpassword values in a digested manner automatically (not everyone will choose this option, because some authentication methods forbid storing password one way encrypted). Its up to you to decide whether the functionality described above (storing hashed passwords is allowed and simple bind acknowledges them) and already implemented is sufficient for a 1.0 as a bare minimum. Sounds great Stefan. Congrats on your first feature addition to the server. This is exactly what we're lookiing for in 1.0. Just not to have passwords in the clear stored in the repo is a big plus. I'll be looking to play with this feature within a litle bit. Thanks!!!
Stefan Zoerner made changes - 13/Jan/06 03:53 AM
How about closing this issue (hence it is blocker) and create a new wish, which only contains the missing functionality?
The latter is only one of the original four list items from this issue missing: To configure an optional password message digest algorithm which is applied on userPassword attribute values at add and modify operations.
Stefan Zoerner made changes - 14/Jan/06 08:10 PM
These issues are related. This one is to complete the functionality on DIREVE-296.
Alex Karasulu made changes - 18/Jan/06 02:13 AM
Thanks Stefan I will create the new issue for the missing parts of this. Please elaborate on htat issue.
Alex Karasulu made changes - 18/Jan/06 02:14 AM
Alex Karasulu made changes - 10/Feb/06 12:27 PM
Alex created a new item which describes the missing functionality of this issue: DIRSERVER-289. Therefore I close this one.
Stefan Zoerner made changes - 25/Jun/06 08:26 PM
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 |
|
New Feature
Closed
Blocker
Storing user passwords other than in clear
(Thanks to Alex for the hint)