Hi Emmanuel! Emmanuel Lecharny wrote:
On 2/7/10 11:00 AM, Stefan Zoerner wrote:Good morning Emmanuel!Emmanuel Lecharny wrote:I will have a look at it tomorrow.That would be great! Thanks!Done !
Thanks a lot, I have taken account all your great advice and modified the page a little bit:
http://cwiki.apache.org/confluence/display/DIRxSBOX/Implementing+a+simple+interceptor
Think, I can move it to the official documentation, if no one votes against that.
But there is the "One last thing". You wrote:> One last thing : you should suggest to use SSHA-256, instead of MD5. MD5 is considered as weak : http://www.schneier.com/essay-074.html (so is SSHA1, btw :-)
This is a good hint, and it would be quite easy to configure the PasswordHashInterceptor like that. I tried it out, and the password has been stored encrypted with SSHA-256. Unfortunately, ApacheDS 1.5.5 does not authenticate users with passwords stored like that. SSHA-256 is not one of the supported hash algorithms, see class org.apache.directory.server.core.authn.SimpleAuthenticator and enum org.apache.directory.shared.ldap.constants.LdapSecurityConstants.
The same hold true for Apache Directory Studio, btw. It does not support this hash function.
Should I raise a JIRA which addresses that? I think I would even be able to add that on my own to the server, if wished (at least I was able to find the place in the server code ;-).
Greetings from Hamburg,
StefanZ
