Need to simplify process for changing admin password
----------------------------------------------------
Key: DIRSERVER-610
URL: http://issues.apache.org/jira/browse/DIRSERVER-610
Project: Directory ApacheDS
Type: Improvement
Components: core
Versions: 1.0-RC1
Reporter: Endi S. Dewata
As described in
http://directory.apache.org/subprojects/apacheds/docs/users/authentication.html,
currently to change admin password you need to perform 2 steps: ldapmodify and
then change server.xml. While the functionality works just fine, this has
become a usability issue in both stand-alone and embedded mode as the admin
user is required to maintain the same passwords stored in 2 different
locations. Eventhough requiring a password in server.xml might prevent
unauthorized user from starting the server, it's also a security risk because
the password is stored in plain text and probably cannot be encrypted because
it needs to be validated against the one stored in the backend.
Several alternatives:
1. Automatically modify server.xml when the admin password is changed via
ldapmodify. However, if the user changed server.xml manually it will become
unsynchronized. Also, in embedded mode this might not work because the config
might not be stored in server.xml.
2. Store the admin password (or just the hash value) in the configuration file
only (server.xml) as in OpenLDAP. When the admin user binds, the password will
be validated against this hash value.
3. Store the admin password in the backend storage only along with other users'
passwords. This might be the simplest solution because it's already been
implemented.
Related issue:
- http://jira.safehaus.org/browse/PENROSE-142
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
