Yeah, rise an JIRA. Implementing SHA§256 is probably a matter of minutes. On Sun, Feb 7, 2010 at 5:23 PM, Stefan Zoerner <[email protected]> wrote:
> Hi Emmanuel! > > Emmanuel Lecharny wrote: > >> On 2/7/10 11:00 AM, Stefan Zoerner wrote: >> >>> Good morning Emmanuel! >>> >>> Emmanuel Lecharny wrote: >>> >>>> I will have a look at it tomorrow. >>>> >>> >>> That would be great! Thanks! >>> >> Done ! >> > > Thanks a lot, I have taken account all your great advice and modified the > page a little bit: > > > http://cwiki.apache.org/confluence/display/DIRxSBOX/Implementing+a+simple+interceptor > > Think, I can move it to the official documentation, if no one votes against > that. > > But there is the "One last thing". You wrote: > > > One last thing : you should suggest to use SSHA-256, instead of MD5. MD5 > is considered as weak : http://www.schneier.com/essay-074.html (so is > SSHA1, btw :-) > > This is a good hint, and it would be quite easy to configure the > PasswordHashInterceptor like that. I tried it out, and the password has been > stored encrypted with SSHA-256. Unfortunately, ApacheDS 1.5.5 does not > authenticate users with passwords stored like that. SSHA-256 is not one of > the supported hash algorithms, see class > org.apache.directory.server.core.authn.SimpleAuthenticator and enum > org.apache.directory.shared.ldap.constants.LdapSecurityConstants. > > The same hold true for Apache Directory Studio, btw. It does not support > this hash function. > > Should I raise a JIRA which addresses that? I think I would even be able to > add that on my own to the server, if wished (at least I was able to find the > place in the server code ;-). > > Greetings from Hamburg, > StefanZ > > > -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
