Directory ApacheDS
  1. Directory ApacheDS
  2. DIRSERVER-817

SimpleAuthenticator ehancements, including support for one-way hash for admin password in server.xml

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 1.0, 1.0.1, 1.0.2, 1.5.0, 1.5.1
    • Fix Version/s: 1.5.4
    • Component/s: core
    • Labels:
      None
    • Environment:
      N/A

      Description

      Currently persistent storage of passwords as one-way hashes is supported for partitions, but the admin password appears as cleartext in server.xml. I am submitting a patch that allows a one-way hash to be used in server.xml to protect the admin passord. Unfortunately if a user wants both of these features at the same time:
      a) one-way hashes used for password persistently stored in AD partition AND
      b) one-way hash used for admin password in server.xml
      then SimpleAuthenticator has to accept one-way hashes for both "userPassword" (persistently stored value) and "creds" (password provided in bind, which takes text from server.xml in the case where front-end of server authenticates to back-end in org.apache.directory.server.core.jndi.ServerContext) and compare them literally when both are one-way hashed. This effectively results in the password being in cleartext (or more exactly a cleartext alias) in server.xml again, but in a form that might put off potential hackers (a very big "might"). Hence end-users really end up choosing between option a) OR b) above.

      Also included in the patch is support I needed to get an inflexible legacy client to talk to AD. As AD doesn't support changing the DN of the admin users, and the client didn't support changing of the bind DN it used, I added a simple "java.naming.security.principal.alias" property which allowed specification of an alias for AD's admin user's DN.

      Not sure how much interest any of this to anyone else, but thought I'd raise a JIRA about the cleartext password in server.xml and may the patch available in case. The root problem seems to be the fairly strange way the the AD front-end needs the admin password from server.xml to bind to the back-end.

        Activity

        Norval Hope created issue -
        Norval Hope made changes -
        Field Original Value New Value
        Summary SimpleAuthenticator ehancements, inclduing support for one-way hash for admin password in server.xml SimpleAuthenticator ehancements, including support for one-way hash for admin password in server.xml
        Norval Hope made changes -
        Attachment simpleauth.patch [ 12348465 ]
        Emmanuel Lecharny made changes -
        Fix Version/s 1.5.1 [ 12310792 ]
        Alex Karasulu made changes -
        Fix Version/s 1.5.2 [ 12310793 ]
        Affects Version/s 1.0.1 [ 12312091 ]
        Affects Version/s 1.5.1 [ 12310792 ]
        Fix Version/s 1.5.1 [ 12310792 ]
        Affects Version/s 1.0.2 [ 12312309 ]
        Emmanuel Lecharny made changes -
        Fix Version/s 1.5.3 [ 12312693 ]
        Fix Version/s 1.5.2 [ 12310793 ]
        Alex Karasulu made changes -
        Fix Version/s 1.5.4 [ 12313147 ]
        Fix Version/s 1.5.3 [ 12312693 ]
        Alex Karasulu made changes -
        Resolution Fixed [ 1 ]
        Status Open [ 1 ] Closed [ 6 ]

          People

          • Assignee:
            Unassigned
            Reporter:
            Norval Hope
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development