Storing user passwords other than in clear
------------------------------------------
Key: DIREVE-296
URL: http://issues.apache.org/jira/browse/DIREVE-296
Project: Directory Server
Type: New Feature
Reporter: Stefan Zoerner
Assigned to: Alex Karasulu
Priority: Minor
Because the admin user is allowed to see everything, I suggest to store the
attribute values for user password other than in clear. I nice solution would
be to make this configurable (other server products allow comparable
functionality):
* Configure a hash function to use for password storage (e.g. MD5, SSHA, ...)
* Allow clients to store the value as a hashed value on their own as well
(calculated with a function other than the configured one, if they like)
* Enable simple bind with value in clear text (hash value calculated within the
server and compared against the stored value)
* Still allow clear passwords, because some authentication mechanisms need this
(e.g. DIGEST-MD5)
Hashed values does not add that much security, but at least is is harder for
admin to catch a password and commit it to his/her memory.
Some products even allow to encrypt the password (two-way), but I think the
features above should do for the first run.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
