directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Zoerner <ste...@labeo.de>
Subject Password hashed with SSHA-256 within ApacheDS (was: Re: Implementing a simple interceptor: Adding it to the chain)
Date Sun, 07 Feb 2010 16:23:24 GMT
Hi Emmanuel!

Emmanuel Lecharny wrote:
> On 2/7/10 11:00 AM, Stefan Zoerner wrote:
>> Good morning Emmanuel!
>>
>> Emmanuel Lecharny wrote:
>>> I will have a look at it tomorrow.
>>
>> That would be great! Thanks!
> Done !

Thanks a lot, I have taken account all your great advice and modified 
the page a little bit:

http://cwiki.apache.org/confluence/display/DIRxSBOX/Implementing+a+simple+interceptor 


Think, I can move it to the official documentation, if no one votes 
against that.

But there is the "One last thing". You wrote:

 > One last thing : you should suggest to use SSHA-256, instead of MD5. 
MD5 is considered as weak : http://www.schneier.com/essay-074.html (so 
is SSHA1, btw :-)

This is a good hint, and it would be quite easy to configure the 
PasswordHashInterceptor like that. I tried it out, and the password has 
been stored encrypted with SSHA-256. Unfortunately, ApacheDS 1.5.5 does 
not authenticate users with passwords stored like that. SSHA-256 is not 
one of the supported hash algorithms, see class 
org.apache.directory.server.core.authn.SimpleAuthenticator and enum 
org.apache.directory.shared.ldap.constants.LdapSecurityConstants.

The same hold true for Apache Directory Studio, btw. It does not support 
this hash function.

Should I raise a JIRA which addresses that? I think I would even be able 
to add that on my own to the server, if wished (at least I was able to 
find the place in the server code ;-).

Greetings from Hamburg,
     StefanZ



Mime
View raw message