[
https://issues.apache.org/jira/browse/DIRSERVER-817?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Emmanuel Lecharny updated DIRSERVER-817:
----------------------------------------
Fix Version/s: (was: 1.5.2)
1.5.3
We will have to address this issue in the next release ...
> SimpleAuthenticator ehancements, including support for one-way hash for admin
> password in server.xml
> ----------------------------------------------------------------------------------------------------
>
> Key: DIRSERVER-817
> URL: https://issues.apache.org/jira/browse/DIRSERVER-817
> Project: Directory ApacheDS
> Issue Type: Improvement
> Components: core
> Affects Versions: 1.5.1, 1.0.2, 1.0.1, 1.5.0, 1.0
> Environment: N/A
> Reporter: Norval Hope
> Fix For: 1.5.3
>
> Attachments: simpleauth.patch
>
>
> Currently persistent storage of passwords as one-way hashes is supported for
> partitions, but the admin password appears as cleartext in server.xml. I am
> submitting a patch that allows a one-way hash to be used in server.xml to
> protect the admin passord. Unfortunately if a user wants both of these
> features at the same time:
> a) one-way hashes used for password persistently stored in AD partition
> AND
> b) one-way hash used for admin password in server.xml
> then SimpleAuthenticator has to accept one-way hashes for both "userPassword"
> (persistently stored value) and "creds" (password provided in bind, which
> takes text from server.xml in the case where front-end of server
> authenticates to back-end in
> org.apache.directory.server.core.jndi.ServerContext) and compare them
> literally when both are one-way hashed. This effectively results in the
> password being in cleartext (or more exactly a cleartext alias) in server.xml
> again, but in a form that might put off potential hackers (a very big
> "might"). Hence end-users really end up choosing between option a) OR b)
> above.
> Also included in the patch is support I needed to get an inflexible legacy
> client to talk to AD. As AD doesn't support changing the DN of the admin
> users, and the client didn't support changing of the bind DN it used, I added
> a simple "java.naming.security.principal.alias" property which allowed
> specification of an alias for AD's admin user's DN.
> Not sure how much interest any of this to anyone else, but thought I'd raise
> a JIRA about the cleartext password in server.xml and may the patch available
> in case. The root problem seems to be the fairly strange way the the AD
> front-end needs the admin password from server.xml to bind to the back-end.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
