directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Norval Hope" <>
Subject support for {SHA} admin password in server.xml
Date Fri, 05 Jan 2007 03:29:08 GMT
I have added support in 1.5.0 for SimpleAuthenticator for using
hash-encoded passwords in server.xml, whereas previously it only
supported hash-encoded passwords passed in to the BIND, and cleartext
password in server.xml.

I'm happy to raise a JIRA and submit a patch / commit my change but
first I wanted to ask some questions:
    1. Is the current hash-encode support designed to stop cleartext
passwords being transmitted when LDAPS is not being used? If so, isn't
the fact that the admin password is in cleartext in server.xml also a
cause for concern?
    2. My current implementation handles all four cases for BIND
password (hash-encode / cleartext) and server.xml password
(hash-encoded / cleartext), where if both are in the same format then
they are just compared literally. I'm a little uneasy about handling
the hash-encode v. hash-encoded case as a literal comparison, because
then the hash effecitively becomes the cleartext password. Does anyone
have any opinions on whether I should I explicitly exclude support for
this case, and always fail authentication for it (my feeling is
perhaps I should)?

View raw message