Return-Path: Delivered-To: apmail-directory-dev-archive@www.apache.org Received: (qmail 26216 invoked from network); 27 Oct 2005 23:13:22 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 27 Oct 2005 23:13:22 -0000 Received: (qmail 39979 invoked by uid 500); 27 Oct 2005 23:13:22 -0000 Delivered-To: apmail-directory-dev-archive@directory.apache.org Received: (qmail 39546 invoked by uid 500); 27 Oct 2005 23:13:19 -0000 Mailing-List: contact dev-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Apache Directory Developers List" Delivered-To: mailing list dev@directory.apache.org Received: (qmail 39534 invoked by uid 99); 27 Oct 2005 23:13:18 -0000 X-ASF-Spam-Status: No, hits=1.3 required=10.0 tests=SPF_FAIL X-Spam-Check-By: apache.org Received: from [192.87.106.226] (HELO ajax.apache.org) (192.87.106.226) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 27 Oct 2005 16:13:18 -0700 Received: from ajax.apache.org (ajax.apache.org [127.0.0.1]) by ajax.apache.org (Postfix) with ESMTP id AF562126 for ; Fri, 28 Oct 2005 01:12:56 +0200 (CEST) Message-ID: <2026859351.1130454776716.JavaMail.jira@ajax.apache.org> Date: Fri, 28 Oct 2005 01:12:56 +0200 (CEST) From: "Stefan Zoerner (JIRA)" To: dev@directory.apache.org Subject: [jira] Commented: (DIREVE-296) Storing user passwords other than in clear In-Reply-To: <1238746614.1130364775481.JavaMail.jira@ajax.apache.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N [ http://issues.apache.org/jira/browse/DIREVE-296?page=comments#action_12356150 ] Stefan Zoerner commented on DIREVE-296: --------------------------------------- Consider to implement RFC 3112 ("LDAP Authentication Password Schema"), http://www.faqs.org/rfcs/rfc3112.html (Thanks to Alex for the hint) > Storing user passwords other than in clear > ------------------------------------------ > > Key: DIREVE-296 > URL: http://issues.apache.org/jira/browse/DIREVE-296 > Project: Directory Server > Type: New Feature > Reporter: Stefan Zoerner > Assignee: Alex Karasulu > Priority: Minor > > Because the admin user is allowed to see everything, I suggest to store the attribute values for user password other than in clear. I nice solution would be to make this configurable (other server products allow comparable functionality): > * Configure a hash function to use for password storage (e.g. MD5, SSHA, ...) > * Allow clients to store the value as a hashed value on their own as well (calculated with a function other than the configured one, if they like) > * Enable simple bind with value in clear text (hash value calculated within the server and compared against the stored value) > * Still allow clear passwords, because some authentication mechanisms need this (e.g. DIGEST-MD5) > Hashed values does not add that much security, but at least is is harder for admin to catch a password and commit it to his/her memory. > Some products even allow to encrypt the password (two-way), but I think the features above should do for the first run. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira