If you secure your directory connection (SSL, StartTLS; assuming the connection will eventually go off host) and change the naming authentication to simple, the directory does the 'heavy lifting' of computing the hash and comparing with stored hashes. Yes, the client's unencoded password is sent to the directory (albeit over TLS), but the app also doesn't have to do things like compute a hash, fetch, and try to (manually) compare values.
Tom. On Dec 12, 2013, at 8:04 AM, Ricardo <[email protected]> wrote: > Hi all, > > In my LDAP, I have two kinds of users. The first one have its passwords > stored as MD5, so i have configured this context: > > <bean id="contextSource" > class="org.springframework.ldap.core.support.LdapContextSource" > p:pooled="false" > p:url="ldap://localhost:389"; > p:userDn="cn=admin,dc=xxx,dc=com" > p:password="xxx"> > > <property name="baseEnvironmentProperties"> > <map> > <entry key="com.sun.jndi.ldap.connect.timeout" value="3000"/> > <entry key="com.sun.jndi.ldap.read.timeout" value="3000"/> > <entry key="java.naming.security.authentication" value="DIGEST-MD5"/> > </map> > </property> > </bean> > > All seems to work fine for this users. > > The second kind of users have its passwords stored as SSHA. > > What value of the attribute "java.naming.security.authentication" should i > configure in this scenario? > > Thanks in advance for your help guys :) > > Best regards, > Ricardo > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
