directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Norval Hope (JIRA)" <j...@apache.org>
Subject [jira] Commented: (DIRSERVER-817) SimpleAuthenticator ehancements, including support for one-way hash for admin password in server.xml
Date Fri, 23 Mar 2007 10:45:32 GMT

    [ https://issues.apache.org/jira/browse/DIRSERVER-817?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12483508
] 

Norval Hope commented on DIRSERVER-817:
---------------------------------------

Certainly see your point about the dangers of accepting one-way-encrypted passwords, as then
the hash effectively becomes the clear text password.

However, I think there must be some way to avoid both
    a) accepting one-way hashes in bind requests and
    b) having a clear text password in server.xml.

I seem to remember someone on the list mentioning OpenLDAP uses a scheme (hope my memory and
paraphrasing are right) where the configured password in server.xml becomes irrelevant as
soon as a password is persisted in the system partition, which seems a reasonable approach
to me (although I'm by no means an expert - just don't like clear-text passwords in config
files :-) .

> SimpleAuthenticator ehancements, including support for one-way hash for admin password
in server.xml
> ----------------------------------------------------------------------------------------------------
>
>                 Key: DIRSERVER-817
>                 URL: https://issues.apache.org/jira/browse/DIRSERVER-817
>             Project: Directory ApacheDS
>          Issue Type: Improvement
>          Components: core
>    Affects Versions: 1.5.0, 1.0
>         Environment: N/A
>            Reporter: Norval Hope
>             Fix For: 1.5.1
>
>         Attachments: simpleauth.patch
>
>
> Currently persistent storage of passwords as one-way hashes is supported for partitions,
but the admin password appears as cleartext in server.xml. I am submitting a patch that allows
a one-way hash to be used in server.xml to protect the admin passord. Unfortunately if a user
wants both of these features at the same time:
>     a) one-way hashes used for password persistently stored in AD partition    AND
>     b) one-way hash used for admin password in server.xml
> then SimpleAuthenticator has to accept one-way hashes for both "userPassword" (persistently
stored value) and "creds" (password provided in bind, which takes text from server.xml in
 the case where front-end of server authenticates to back-end in org.apache.directory.server.core.jndi.ServerContext)
and compare them literally when both are one-way hashed. This effectively results in the password
being in cleartext (or more exactly a cleartext alias) in server.xml again, but in a form
that might put off potential hackers (a very big "might"). Hence end-users really end up choosing
between option a) OR b) above.
> Also included in the patch is support I needed to get an inflexible legacy client to
talk to AD. As AD doesn't support changing the DN of the admin users, and the client didn't
support changing of the bind DN it used, I added a simple "java.naming.security.principal.alias"
property which allowed specification of an alias for AD's admin user's DN.
> Not sure how much interest any of this to anyone else, but thought I'd raise a JIRA about
the cleartext password in server.xml and may the patch available in case. The root problem
seems to be the fairly strange way the the AD front-end needs the admin password from server.xml
to bind to the back-end.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message