On Sun, Oct 31, 2010 at 9:49 AM, Kiran Ayyagari <kayyagari@apache.org> wrote:
 hello dev,

 Currently we don't have a feature to automatically hash the passwords before
 storing them, I would like to propose that we should add this feature.

 I would like to add a new interceptor to support this feature:

  1. It is easy to enable/disable without adding some more config options
      to DirectoryService

  2. We can place at the appropriate position in the interceptor chain so that
      changelog and journals will also have the same password as the DIT

 We currently support the following hashing algorithms
       SHA, SSHA, MD5, SMD5, Crypt, SHA-2 (256, 384, 512 along with their
       salted counterparts)

Should be sufficient.
 Studio might need to change its 'password change' screen by adding an option
 to send the plain text password though the original password is hashed.
 (AFAIU currently studio hashes on the client side and sends)


Thanks for taking this on Kiran. Any bit of additional security is great. I know you've thought through all the relevant implications this might have with any other authentication mechanisms we have.

Alex Karasulu
My Blog :: http://www.jroller.com/akarasulu/
Apache Directory Server :: http://directory.apache.org
Apache MINA :: http://mina.apache.org
To set up a meeting with me: http://tungle.me/AlexKarasulu