directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Zoerner <ste...@labeo.de>
Subject Re: support for {SHA} admin password in server.xml
Date Fri, 05 Jan 2007 19:15:28 GMT
Norval Hope wrote:
> I have added support in 1.5.0 for SimpleAuthenticator for using
> hash-encoded passwords in server.xml, whereas previously it only
> supported hash-encoded passwords passed in to the BIND, and cleartext
> password in server.xml.
> 
> I'm happy to raise a JIRA and submit a patch / commit my change but
> first I wanted to ask some questions:
>    1. Is the current hash-encode support designed to stop cleartext
> passwords being transmitted when LDAPS is not being used? If so, isn't
> the fact that the admin password is in cleartext in server.xml also a
> cause for concern?

The current behavior is that if a user password is stored one way 
encrypted in the partition, and a client uses the clear text value 
during a bind request, he is authenticated (if the hash value of the 
clear text password corresponds to the stored value for the user). This 
is independent from enabling/using LDAPS.

Providing the hashed value of the userpassword attribute instead of the 
original value will be rejected by ApacheDS. This is intended. If 
someone was able to catch this value (from an LDIF export for instance), 
s/he must still provide the password itself in order to get authenticated.

 From the client point of view, both is described with samples here:
http://cwiki.apache.org/DIRxSRVx10/authentication-options.html#Authenticationoptions-Passwordsstoredonewayencrypted

I hope this helps,
     Greetings, Stefan


Mime
View raw message