From dev-return-32643-apmail-directory-dev-archive=directory.apache.org@directory.apache.org Sun Feb 07 16:23:50 2010 Return-Path: Delivered-To: apmail-directory-dev-archive@www.apache.org Received: (qmail 89415 invoked from network); 7 Feb 2010 16:23:50 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 7 Feb 2010 16:23:50 -0000 Received: (qmail 56560 invoked by uid 500); 7 Feb 2010 16:23:49 -0000 Delivered-To: apmail-directory-dev-archive@directory.apache.org Received: (qmail 56473 invoked by uid 500); 7 Feb 2010 16:23:49 -0000 Mailing-List: contact dev-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Apache Directory Developers List" Delivered-To: mailing list dev@directory.apache.org Received: (qmail 56465 invoked by uid 99); 7 Feb 2010 16:23:49 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 07 Feb 2010 16:23:49 +0000 X-ASF-Spam-Status: No, hits=1.2 required=10.0 tests=SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (nike.apache.org: local policy) Received: from [81.169.146.160] (HELO mo-p00-ob.rzone.de) (81.169.146.160) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 07 Feb 2010 16:23:39 +0000 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; t=1265559799; l=1517; s=domk; d=labeo.de; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:References: Subject:To:MIME-Version:From:Date:X-RZG-CLASS-ID:X-RZG-AUTH; bh=Kf4myl7mlVExemgADO3q9zZcWP0=; b=r70OIf2TU3Ilcnpiyd00GdizYqMo8r1IehOt257mO5bhzClR1zzKPcLTb47Gq0aDjiU c/w68KwIppTr6nNzk5iAU+LYdN571EDLuFORz/y3qJDcJG/gO3uB9I4Mx6tSGvR8F2dYd TMVwu3PTtdQcWKsVhbgtBlCzu/hMWyQrZh0= X-RZG-AUTH: :P3gBc0GmW/MphhhpU4BSj2bmx/Zwgz97J2mNwJqPPEL+U9r/pmo2y/TpMf+q X-RZG-CLASS-ID: mo00 Received: from [127.0.0.1] (p5DC6D1C9.dip.t-dialin.net [93.198.209.201]) by post.strato.de (fruni mo27) (RZmta 22.6) with ESMTP id k01d20m17GAmHY for ; Sun, 7 Feb 2010 17:23:18 +0100 (MET) Message-ID: <4B6EE8FC.30108@labeo.de> Date: Sun, 07 Feb 2010 17:23:24 +0100 From: Stefan Zoerner User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) MIME-Version: 1.0 To: Apache Directory Developers List Subject: Password hashed with SSHA-256 within ApacheDS (was: Re: Implementing a simple interceptor: Adding it to the chain) References: <4B6DD32F.3090709@labeo.de> <4B6DF7E6.2080001@gmail.com> <4B6E8F55.8040502@labeo.de> <4B6E904E.1050201@gmail.com> In-Reply-To: <4B6E904E.1050201@gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org Hi Emmanuel! Emmanuel Lecharny wrote: > On 2/7/10 11:00 AM, Stefan Zoerner wrote: >> Good morning Emmanuel! >> >> Emmanuel Lecharny wrote: >>> I will have a look at it tomorrow. >> >> That would be great! Thanks! > Done ! Thanks a lot, I have taken account all your great advice and modified the page a little bit: http://cwiki.apache.org/confluence/display/DIRxSBOX/Implementing+a+simple+interceptor Think, I can move it to the official documentation, if no one votes against that. But there is the "One last thing". You wrote: > One last thing : you should suggest to use SSHA-256, instead of MD5. MD5 is considered as weak : http://www.schneier.com/essay-074.html (so is SSHA1, btw :-) This is a good hint, and it would be quite easy to configure the PasswordHashInterceptor like that. I tried it out, and the password has been stored encrypted with SSHA-256. Unfortunately, ApacheDS 1.5.5 does not authenticate users with passwords stored like that. SSHA-256 is not one of the supported hash algorithms, see class org.apache.directory.server.core.authn.SimpleAuthenticator and enum org.apache.directory.shared.ldap.constants.LdapSecurityConstants. The same hold true for Apache Directory Studio, btw. It does not support this hash function. Should I raise a JIRA which addresses that? I think I would even be able to add that on my own to the server, if wished (at least I was able to find the place in the server code ;-). Greetings from Hamburg, StefanZ