Yeah, rise an JIRA. Implementing SHA§256 is probably a matter of minutes.

On Sun, Feb 7, 2010 at 5:23 PM, Stefan Zoerner <stefan@labeo.de> wrote:
Hi Emmanuel!

Emmanuel Lecharny wrote:
On 2/7/10 11:00 AM, Stefan Zoerner wrote:
Good morning Emmanuel!

Emmanuel Lecharny wrote:
I will have a look at it tomorrow.

That would be great! Thanks!
Done !

Thanks a lot, I have taken account all your great advice and modified the page a little bit:

http://cwiki.apache.org/confluence/display/DIRxSBOX/Implementing+a+simple+interceptor

Think, I can move it to the official documentation, if no one votes against that.

But there is the "One last thing". You wrote:

> One last thing : you should suggest to use SSHA-256, instead of MD5. MD5 is considered as weak : http://www.schneier.com/essay-074.html (so is SSHA1, btw :-)

This is a good hint, and it would be quite easy to configure the PasswordHashInterceptor like that. I tried it out, and the password has been stored encrypted with SSHA-256. Unfortunately, ApacheDS 1.5.5 does not authenticate users with passwords stored like that. SSHA-256 is not one of the supported hash algorithms, see class org.apache.directory.server.core.authn.SimpleAuthenticator and enum org.apache.directory.shared.ldap.constants.LdapSecurityConstants.

The same hold true for Apache Directory Studio, btw. It does not support this hash function.

Should I raise a JIRA which addresses that? I think I would even be able to add that on my own to the server, if wished (at least I was able to find the place in the server code ;-).

Greetings from Hamburg,
   StefanZ





--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com