directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Emmanuel Lecharny (JIRA)" <j...@apache.org>
Subject [jira] Updated: (DIRSERVER-610) Need to simplify process for changing admin password
Date Sun, 01 Jul 2007 14:23:04 GMT

     [ https://issues.apache.org/jira/browse/DIRSERVER-610?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Emmanuel Lecharny updated DIRSERVER-610:
----------------------------------------

    Affects Version/s:     (was: 1.0-RC1)
                       1.0.2
                       1.5.0
        Fix Version/s: 1.0.3
                       1.5.2

Endi is right.

We need to find a better way to handle the admin password.

> Need to simplify process for changing admin password
> ----------------------------------------------------
>
>                 Key: DIRSERVER-610
>                 URL: https://issues.apache.org/jira/browse/DIRSERVER-610
>             Project: Directory ApacheDS
>          Issue Type: Improvement
>          Components: core
>    Affects Versions: 1.0.2, 1.5.0
>            Reporter: Endi S. Dewata
>             Fix For: 1.5.2, 1.0.3
>
>
> As described in http://directory.apache.org/subprojects/apacheds/docs/users/authentication.html,
currently to change admin password you need to perform 2 steps: ldapmodify and then change
server.xml. While the functionality works just fine, this has become a usability issue in
both stand-alone and embedded mode as the admin user is required to maintain the same passwords
stored in 2 different locations. Eventhough requiring a password in server.xml might prevent
unauthorized user from starting the server, it's also a security risk because the password
is stored in plain text and probably cannot be encrypted because it needs to be validated
against the one stored in the backend.
> Several alternatives:
> 1. Automatically modify server.xml when the admin password is changed via ldapmodify.
However, if the user changed server.xml manually it will become unsynchronized. Also, in embedded
mode this might not work because the config might not be stored in server.xml.
> 2. Store the admin password (or just the hash value) in the configuration file only (server.xml)
as in OpenLDAP. When the admin user binds, the password will be validated against this hash
value.
> 3. Store the admin password in the backend storage only along with other users' passwords.
This might be the simplest solution because it's already been implemented.
> Related issue:
>  - http://jira.safehaus.org/browse/PENROSE-142

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message