I was pointed at this article and asked if we could implement SSHA256 password hashing instead of SSHA and also do a large number of iterations http://www.stormpath.com/blog/strong-password-hashing-apache-shiro So I started exploring the issues involved with implementing this approach.
First, we are using openldap for our directory and it does not appear to support SSHA256 without adding a contributed overlay module described here http://www.openldap.org/faq/data/cache/1467.html So far I've been unsuccessful in getting this compile, but figure it will eventually succeed. Even getting that to work it does look like I will be able to use openldap's builtin "bind" function. With the right module (as above) openldap can be configured to use the SSHA256 algorithm, but I do NOT find anyway to specify more than a single hashing iteration. Maybe I'm missing something here. So I'm going to have to use ldap search for authentication rather then bind. OK. I am writing my own Shiro realm so I can handle the authentication using ldap search with no problem. Also I can see that by implementing my own CredentialsMatcher I can handle the SSHA256 and multiple iteration requirement. So far, so good. We also have a PHP Wordpress application. I have a relatively simple LDAP authentication plugin that will now need to be re-written to handle password hashing/iteration since ldap bind cannot be used directly. Does what I've laid out so far sound reasonable? Or am I going about this the wrong way? Is there is another way to achieve the objective? We are a small software shop and this is our initial foray into LDAP and SSO for a outward facing portal. We chose openldap because it seemed ubiquitous and supported on our CENTOS Linux platform. Thank you - Richard -- Richard Mixon Custom Computer Creations, L.L.C. mobile: (480) 577-6834 office: (480) 614-3442 email: [email protected] <mailto:[email protected]> Microsoft Partner ID: 1263725 The messages and documents transmitted with this notice contain confidential information belonging to the sender. If you are not the intended recipient of this information, you are hereby notified that any disclosure, copying, distribution or use of the information is strictly prohibited. If you have received this transmission in error, please notify the sender immediately.
