Norval Hope wrote:
I have added support in 1.5.0 for SimpleAuthenticator for using
hash-encoded passwords in server.xml, whereas previously it only
supported hash-encoded passwords passed in to the BIND, and cleartext
password in server.xml.
I'm happy to raise a JIRA and submit a patch / commit my change but
first I wanted to ask some questions:
1. Is the current hash-encode support designed to stop cleartext
passwords being transmitted when LDAPS is not being used? If so, isn't
the fact that the admin password is in cleartext in server.xml also a
cause for concern?
The current behavior is that if a user password is stored one way
encrypted in the partition, and a client uses the clear text value
during a bind request, he is authenticated (if the hash value of the
clear text password corresponds to the stored value for the user). This
is independent from enabling/using LDAPS.
Providing the hashed value of the userpassword attribute instead of the
original value will be rejected by ApacheDS. This is intended. If
someone was able to catch this value (from an LDIF export for instance),
s/he must still provide the password itself in order to get authenticated.
From the client point of view, both is described with samples here:
http://cwiki.apache.org/DIRxSRVx10/authentication-options.html#Authenticationoptions-Passwordsstoredonewayencrypted
I hope this helps,
Greetings, Stefan
