Return-Path: X-Original-To: apmail-directory-dev-archive@www.apache.org Delivered-To: apmail-directory-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 44E8FF05F for ; Tue, 9 Apr 2013 16:33:04 +0000 (UTC) Received: (qmail 54600 invoked by uid 500); 9 Apr 2013 16:33:03 -0000 Delivered-To: apmail-directory-dev-archive@directory.apache.org Received: (qmail 54550 invoked by uid 500); 9 Apr 2013 16:33:03 -0000 Mailing-List: contact dev-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Apache Directory Developers List" Delivered-To: mailing list dev@directory.apache.org Received: (qmail 54543 invoked by uid 99); 9 Apr 2013 16:33:03 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 09 Apr 2013 16:33:03 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of ayyagarikiran@gmail.com designates 209.85.210.182 as permitted sender) Received: from [209.85.210.182] (HELO mail-ia0-f182.google.com) (209.85.210.182) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 09 Apr 2013 16:32:59 +0000 Received: by mail-ia0-f182.google.com with SMTP id u20so1828983iag.13 for ; Tue, 09 Apr 2013 09:32:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type; bh=k94s9wWKNBJ9JyOln6kt9fhakKXVHVD/YNcpFhgyMOw=; b=we4GiMyUL/p4yd+zVkUA0eQeAqT8EqbaSpmvHKOsLa+BCaF2AOzbrdDvK9EaDBJexF 2ZN9gvLR8mxuzJ+XCbCKdpGzX5oWC0pBbpoI1BjYC0S7amTkjxDdVzgQB9wljOpoE2/3 CE0KIrKhzBLQAcjn4hGFzB9F9PzguyTm3B4qpvUJpEpzl48V+jDiCVon+rqyBUv+6D5U 43KvZd7FuXoOQEQOz8/ULPMJ46bTi1gh0zt81DdbL2CBQWhlkpHpkJFI53TSnZDVMp8u LH7HVv5Cs0aufVFfjQX6abfhKjkcUzIMvy9b0/dmS2AxwOA2xsOAQnnI5nyTbezxGXlH 93VA== MIME-Version: 1.0 X-Received: by 10.50.129.3 with SMTP id ns3mr10319855igb.41.1365525159317; Tue, 09 Apr 2013 09:32:39 -0700 (PDT) Sender: ayyagarikiran@gmail.com Received: by 10.231.121.5 with HTTP; Tue, 9 Apr 2013 09:32:39 -0700 (PDT) In-Reply-To: <516416F3.5040502@gmail.com> References: <5162F0B8.7030602@gmail.com> <74C2DB88-F3FE-4E28-8266-5DA68FC6BF7E@marcelot.net> <516405D5.1010809@gmail.com> <516416F3.5040502@gmail.com> Date: Tue, 9 Apr 2013 22:02:39 +0530 X-Google-Sender-Auth: s-ATTYl-N-b1xfek6wD84z7dox0 Message-ID: Subject: Re: SearchBaseDN, Kerberos, SASL and password hashing... From: Kiran Ayyagari To: Apache Directory Developers List Content-Type: multipart/alternative; boundary=047d7b4147b40d9a1c04d9f01a40 X-Virus-Checked: Checked by ClamAV on apache.org --047d7b4147b40d9a1c04d9f01a40 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On Tue, Apr 9, 2013 at 6:56 PM, Emmanuel L=E9charny wr= ote: > Le 4/9/13 2:16 PM, Pierre-Arnaud Marcelot a =E9crit : > > On 9 avr. 2013, at 14:13, Emmanuel L=E9charny wro= te: > > > >> ATM, here is what I suggest : > >> - make the hash password interceptor use the kerberos SearchBaseDN > > But what if we don't have a KDC server defined but still want passwords > to be stored as hashed values and enabled the PasswordHashingInterceptor > for that purpose? > > Anyway, there is a big problem : we don't have access to the > KerberosServer instance nor to the LdapServer instance from the > interceptor, so there is no way we can get the searchBaseDn... > > > let us not interfere with the searchBaseDn semantics instead add a config parameter(as mentioned in my earlier mail) in hashing interceptor to white list a set of containers that need to be excluded from the hashing operation. > -- > Regards, > Cordialement, > Emmanuel L=E9charny > www.iktek.com > > --=20 Kiran Ayyagari http://keydap.com --047d7b4147b40d9a1c04d9f01a40 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable



On Tue, Apr 9, 2013 at 6:56 PM, Emmanuel L=E9charny <elecharny@g= mail.com> wrote:
Le 4/9/13 2:16 PM, Pierre-Arnaud Marcelot a = =E9crit :
> On 9 avr. 2013, at 14:13, Emmanuel L=E9charny <elecharny@gmail.com> wrote:
>
>> ATM, here is what I suggest :
>> - make the hash password interceptor use the kerberos SearchBaseDN=
> But what if we don't have a KDC server defined but still want pass= words to be stored as hashed values and enabled the PasswordHashingIntercep= tor for that purpose?

Anyway, there is a big problem : we don't have access to the
KerberosServer instance nor to the LdapServer instance from the
interceptor, so there is no way we can get the searchBaseDn...


let us not interfere with the searchBaseD= n semantics instead add a config parameter(as mentioned in my earlier mail)=
in hashing interceptor to white list a set of containers that need to b= e excluded from the hashing operation.


--
Regards,
Cordialement,
Emmanuel L=E9charny
www.iktek.com




--
Kiran Ayyag= ari
http://keydap.com
--047d7b4147b40d9a1c04d9f01a40--