Return-Path: Delivered-To: apmail-directory-users-archive@www.apache.org Received: (qmail 79311 invoked from network); 9 Jul 2007 15:29:54 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 9 Jul 2007 15:29:54 -0000 Received: (qmail 47063 invoked by uid 500); 9 Jul 2007 15:29:57 -0000 Delivered-To: apmail-directory-users-archive@directory.apache.org Received: (qmail 46991 invoked by uid 500); 9 Jul 2007 15:29:57 -0000 Mailing-List: contact users-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@directory.apache.org Delivered-To: mailing list users@directory.apache.org Received: (qmail 46980 invoked by uid 99); 9 Jul 2007 15:29:57 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 09 Jul 2007 08:29:57 -0700 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (herse.apache.org: domain of elecharny@gmail.com designates 66.249.92.169 as permitted sender) Received: from [66.249.92.169] (HELO ug-out-1314.google.com) (66.249.92.169) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 09 Jul 2007 08:29:53 -0700 Received: by ug-out-1314.google.com with SMTP id a2so1250416ugf for ; Mon, 09 Jul 2007 08:29:32 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=SBHx/B8m/WDLVeozJkyyohpw44VN/M38hoUC6cNHt2hx8zQEtrcCvIDD8mUb9oYsVM+sC6kphO0Q39VrtxiMZ/MveFEwbqfyWkIRjI0y78CHzu22pX9f49a3VqqoT/UXYVVwgQL6EFXW1mrsOpKPQaI8qWXmBr2vV/+jTByONt0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=dwCw452HqrDRdnBqFoTpUfjktEfGA7NQD5RTIaA9FJkayW2rYUNM+lmdLwuGglFbc6IZm0Ck2fpwBehz/yFuqonrLDulEjULm1sR0IzGGthlOBihrOcLmINFDVqT3nOrp2kTYOGC+QFWBLiGTnJLfOR1PuabTw4XW+rHMq5xj6I= Received: by 10.78.138.6 with SMTP id l6mr1633118hud.1183994970765; Mon, 09 Jul 2007 08:29:30 -0700 (PDT) Received: by 10.78.42.11 with HTTP; Mon, 9 Jul 2007 08:29:30 -0700 (PDT) Message-ID: Date: Mon, 9 Jul 2007 17:29:30 +0200 From: "Emmanuel Lecharny" Reply-To: elecharny@iktek.com To: users@directory.apache.org Subject: Re: HI In-Reply-To: <138FB744-3E22-4AE7-BBE3-1F992A1BE70D@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <604574.78237.qm@web7614.mail.in.yahoo.com> <138FB744-3E22-4AE7-BBE3-1F992A1BE70D@gmail.com> X-Virus-Checked: Checked by ClamAV on apache.org Hi, On 7/9/07, Hans wrote: > Well actually there is, but you need to do some guesswork ;-) > http://en.wikipedia.org/wiki/Rainbow_table > http://www.antsight.com/zsl/rainbowcrack/ > http://rainbowtables.shmoo.com/ what I meant is that it's not a *feature* to be able to retrieve a password from its crypted form, it's a hack. Sadly, too many passwords are too easy to guess ... > > Don't know if the password hash in ApacheDS is salted, though. We support SHA, MD5 and there salted forms. We also support {crypt} > > The password hash should not be possible to extract or query by other > means > than backup, not through a query. If you use Apache Directory Studio, then you can get the password as text. If your password is something as simple as 'System', 'JamesBond' or 'X007', then any of the listed tools will be able to crack it in a few seconds ... > > If you are allowed to do a search like > $ ldapsearch -b o=3Dsome.root -s sub 'userPassword=3D"{md5} > b4b5835f03bd6748e0cc25790d6f3498"' dn > it would render you all objects with the attribute userPassword equal to > "the secret password", which may not be such a good idea. > > iPlanet DS 4.x allowed searches on ueserPassword attribute with > directory manager privs > I found out. Have not tested if this works with ApacheDS. It would be a good idea to forbid users to do such searches in ADS. I now realize how bad is it to allow anyone to get everyone passwords ... Can you fill a JIRA ? Thanks ! --=20 Regards, Cordialement, Emmanuel L=E9charny www.iktek.com