directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r857121 - in /websites/staging/directory/trunk/content: ./ apacheds/advanced-ug/4.1.1.2-name-password-authn.html
Date Wed, 03 Apr 2013 14:10:06 GMT
Author: buildbot
Date: Wed Apr  3 14:10:05 2013
New Revision: 857121

Log:
Staging update by buildbot for directory

Modified:
    websites/staging/directory/trunk/content/   (props changed)
    websites/staging/directory/trunk/content/apacheds/advanced-ug/4.1.1.2-name-password-authn.html

Propchange: websites/staging/directory/trunk/content/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Wed Apr  3 14:10:05 2013
@@ -1 +1 @@
-1464030
+1464032

Modified: websites/staging/directory/trunk/content/apacheds/advanced-ug/4.1.1.2-name-password-authn.html
==============================================================================
--- websites/staging/directory/trunk/content/apacheds/advanced-ug/4.1.1.2-name-password-authn.html
(original)
+++ websites/staging/directory/trunk/content/apacheds/advanced-ug/4.1.1.2-name-password-authn.html
Wed Apr  3 14:10:05 2013
@@ -138,6 +138,153 @@
 
 
 <h1 id="4112-namepassword-authentication">4.1.1.2 - Name/Password Authentication</h1>
+<p>This is the most common authentication system, though not the safest. The user provides
his name and a password. Both are passed as clear text to the server, which checks that the
user exists, and that its password is correct.</p>
+<h2 id="users-name-retrieval">User's name retrieval</h2>
+<p>The first thing the server does is to check that the user's name exists in the server.
The provided name is always a full <strong>DN</strong>.</p>
+<p>Here is an example of simple authentication using Studio, where we authenticate
the <strong>uid=admin,ou=system</strong> user :</p>
+<p><img alt="Name/Password authentication" src="images/simple-name-password-authn.png"
/></p>
+<p>The password is not visible here, but this is just for security reasons.</p>
+<p>This request is sent to the server, which will check that the <strong>uid=admin,ou=system</strong>
exists in its backend. If it doesn't, the authentication will fail.</p>
+<h2 id="password-check">Password check</h2>
+<p>That's not enough : once the user is retreived, we have to check the provided password
against the stored password. </p>
+<p>The entry associated with the user should contain a <strong>userPassword</strong>
AttributeType, otherwise the request will be rejected. Here is an example of such an entry
:</p>
+<div class="codehilite"><pre>version: 1
+
+dn: uid=admin,ou=system
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+cn: system administrator
+sn: administrator
+displayName: Directory Superuser
+uid: admin
+userPassword:: c2VjcmV0
+</pre></div>
+
+
+<p>As we can see, this entry has an <strong>userPassword</strong> which
contains the base64 encoded password. If we decode the value, we get :</p>
+<div class="codehilite"><pre>userPassword: secret
+</pre></div>
+
+
+<p>Not exactly safe...</p>
+<h3 id="password-storage">Password storage</h3>
+<p>As we have juste seen, the password is stored in plain text in the server. This
is not exatcly safe ! As soon as someone gets access to your server, all the passwords are
compromised. This is certainly not the way we want to protect our users !</p>
+<p>Hopefully, you can hash those passwords, instead of storing them as provided. </p>
+<p><DIV class="note" markdown="1">
+A hashed password is not a password we can decrypt : when we hash a password, we lose some
information. Also note that two different passwords might result in the exact same hash value,
but it's unlikely.
+</DIV></p>
+<p><strong>ApacheDS</strong> let you select an encryption type when you
inject a password :</p>
+<p><img alt="Password hash method selection" src="images/password-hash-selection.png"
/></p>
+<p>The following hash method are available :</p>
+<table>
+<thead>
+<tr>
+<th>Hash method</th>
+<th>Comment</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>PLAIN</td>
+<td>no hashing</td>
+</tr>
+<tr>
+<td>MD5</td>
+<td>-</td>
+</tr>
+<tr>
+<td>SMD5</td>
+<td>Salted MD5</td>
+</tr>
+<tr>
+<td>crypt</td>
+<td>-</td>
+</tr>
+<tr>
+<td>SHA</td>
+<td>SHA-1</td>
+</tr>
+<tr>
+<td>SSHA</td>
+<td>Salted SHA-1</td>
+</tr>
+<tr>
+<td>SHA-256</td>
+<td>SHA-2 (Studio 2.0)</td>
+</tr>
+<tr>
+<td>SSHA-256</td>
+<td>Salted SHA-2 (Studio 2.0)</td>
+</tr>
+<tr>
+<td>SHA-384</td>
+<td>SHA-2 (Studio 2.0)</td>
+</tr>
+<tr>
+<td>SSHA-384</td>
+<td>Salted SHA-2 (Studio 2.0)</td>
+</tr>
+<tr>
+<td>SHA-512</td>
+<td>SHA-2 (Studio 2.0)</td>
+</tr>
+<tr>
+<td>SSHA-512</td>
+<td>Salted SHA-2 (Studio 2.0)</td>
+</tr>
+</tbody>
+</table>
+<h3 id="how-it-works">How it works ?</h3>
+<p>So the server receives a Name/Password authentication request. The password is <em>in
clear text</em> up to this point. Once the user is found in the server, and if it has
a <strong>userPassword</strong> attributeType, the server extracts each values
contained in this AttributeType (we may have more than one password per user) and check the
provided password against those values.</p>
+<p>This is not as simple as it seems : as we may have hashed the values on the server,
we first have to detect the selected hash method, and then hash the provided password, which
result is compaed to the stored hashed value.</p>
+<p>Hopefully, the hash method is stored within the hashed password in the server :</p>
+<div class="codehilite"><pre>version: 1
+
+dn: uid=admin,ou=system
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+cn: system administrator
+sn: administrator
+displayName: Directory Superuser
+uid: admin
+userPassword:: c2VjcmV0
+userPassword:: {CRYPT}FgGgCMynLfYGw
+</pre></div>
+
+
+<p>Here, one of the <strong>userPassword</strong> value is hashed using
the <strong>crypt</strong> algorithm. The following code is used to chekc the
provided password :</p>
+<div class="codehilite"><pre>for each stored password
+  if it has a hash method 
+    then 
+      extract the method
+      hash the provided password using this method
+      compare the result with the stored hash value
+      if they are equal
+        then
+          return true
+    else
+      compare the provided password with the stored password
+      if they are equal
+        then
+          return true
+done
+
+return false
+</pre></div>
+
+
+<p><DIV class="note" markdown="1">
+  A few rule of thumb :
+  o Never store a password as plain text. 
+  o Prefer salted methods over non salted ones, and prefer the strongest one (here, SSHA-512
on Studio 2.0, or SSHA)
+  o crypt is also a good choice
+  o Pick strong passwords, otherwise if someone gets access to the list of passwords, he
or she can run a rainbow attack on it.
+  o Keep in mind that whatever you do, the password will be passed in clear text from the
client to the server. Always use startTLS before any bind, or at least use SSL
+</DIV></p>
 
 
     <div class="nav">



Mime
View raw message