directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Stefan Zoerner (JIRA)" <directory-...@incubator.apache.org>
Subject [jira] Created: (DIREVE-296) Storing user passwords other than in clear
Date Wed, 26 Oct 2005 22:12:55 GMT
Storing user passwords other than in clear
------------------------------------------

         Key: DIREVE-296
         URL: http://issues.apache.org/jira/browse/DIREVE-296
     Project: Directory Server
        Type: New Feature
    Reporter: Stefan Zoerner
 Assigned to: Alex Karasulu 
    Priority: Minor


Because the admin user is allowed to see everything, I suggest to store the attribute values
for user password other than in clear. I nice solution would be to make this configurable
(other server products allow comparable functionality):

* Configure a hash function to use for password storage (e.g. MD5, SSHA, ...)
* Allow clients to store the value as a hashed value on their own as well (calculated with
a function other than the configured one, if they like)
* Enable simple bind with value in clear text (hash value calculated within the server and
compared against the stored value)
* Still allow clear passwords, because some authentication mechanisms need this (e.g. DIGEST-MD5)

Hashed values does not add that much security, but at least is is harder for admin to catch
a password and commit it to his/her memory.
Some products even allow to encrypt the password (two-way), but I think the features above
should do for the first run.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


Mime
View raw message