[
https://issues.apache.org/jira/browse/DIRSERVER-1822?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13628807#comment-13628807
]
Emmanuel Lecharny commented on DIRSERVER-1822:
----------------------------------------------
Actually, ApacheDS does not hash the password when received in clear text by
default.
But if the Hash interceptor is enabled, then the password will be hashed, and
salted if required.
We need to modify the way we check the password when a salted hash is used.
> Same password can be used multiple times, when SSHA is used for password hash.
> ------------------------------------------------------------------------------
>
> Key: DIRSERVER-1822
> URL: https://issues.apache.org/jira/browse/DIRSERVER-1822
> Project: Directory ApacheDS
> Issue Type: Bug
> Reporter: Peter Hmelak
> Assignee: Kiran Ayyagari
>
> When using SSHA (salted SHA) for password hashing, no CONSTRAINT_VIOLATION
> (invalid reuse of password present in password history) is thrown, if new
> password is the same as one already in pwdHistory.
> I believe current implementation just compares new password hash, with with
> ones stored in pwdHistory.
> And because of new salt, no two hashes are ever a-like, even though passwords
> are the same.
> Suggestion for fix:
> *Every* salt stored in pwdHistory should be used, together with new password
> when creating password hashes, that are then compared with ones already
> stored in pwdHistory.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
