[
https://issues.apache.org/jira/browse/DIRSERVER-1088?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Emmanuel Lecharny resolved DIRSERVER-1088.
------------------------------------------
Resolution: Fixed
I have removed the LdapPrincipal which was stored into the LdapSession, as soon
as the Bind operation is done. This will limit the password visibility to the
minimum.
> Do not cache plain text passwords in credential cache or in LdapPrincipal
> -------------------------------------------------------------------------
>
> Key: DIRSERVER-1088
> URL: https://issues.apache.org/jira/browse/DIRSERVER-1088
> Project: Directory ApacheDS
> Issue Type: Bug
> Components: core
> Affects Versions: 1.5.1, 1.5.0
> Reporter: Alex Karasulu
> Assignee: Emmanuel Lecharny
> Fix For: 1.5.4
>
>
> It's really not a good idea to cache plain text passwords in memory which can
> easily be comprimised with memory readers to enable password theft. The best
> thing to do here in the short term is to disable caching if the password is
> plaintext.
> If caching is still desired then a temp key generated at startup can be used
> to encrypt and decrypt plain text password when put into memory. Perhaps
> this is the best option which still keeps performance.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
