Hi Richard, yes, if you can't configure the LDAP server to be aware of iterations/complexity, then I think doing the matching at the Realm level (with a PasswordMatcher) would be good.
HTH! -- Les Hazlewood | @lhazlewood CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282 On Mon, Jan 13, 2014 at 5:11 PM, Richard Mixon <[email protected]> wrote: > Les, I've actually got the Shiro real working - with either SSHA or > SSHA256. But not looks like either of the ldap server's built-in bind > functions do not allow you to specify how many hash iterations to compute, > only the algorithm to use. So I guess that means I just do an LDAP search > instead of a bind and do the matching in my realm logic. > > Or am I missing something? > > Thanks! > > Sent from my iPhone > > On Jan 13, 2014, at 16:20, Les Hazlewood <[email protected]> wrote: > > Hi Richard, > > If I understand correctly, your challenge is that you want to configure > the LDAP server of choice to compute SSHA256? And then to have Shiro read > in that record, look at the hashed value and then do the comparison? > > Best, > > Les > > On Mon, Jan 13, 2014 at 8:54 AM, rnmixon <[email protected]> wrote: > >> A bit more info ... >> >> We are putting together a small outward facing portal - implementing an >> LDAP >> directory is part of that effort (we use Microsoft AD for internal users). >> >> At this point we've written the PHP plugin for our Wordpress site to >> authenticate external partners via the LDAP directory and internal >> users/employees using our Microsoft Active Directory. I'm doing the same >> for >> the two Java applications that need to be integrated. >> >> Currently, I'm trying to meet a new requirement I received last week to >> use >> SSHA256 instead of SSHA and to use a high number of hashing iterations as >> Les' article suggested. >> >> In theory Openldap can do this using the sha2 plugin, but it's been slow >> getting it to work - after quite a few years it has not been included in >> the >> base product's plugin set - and there appear to be some philosophical wars >> as to whether more advanced hashes can or should be included in the core >> product plugins. >> >> So at this point I've allocated a day (today) to look at the Fedora 389 >> Directory Server and see if it offers a smoother path. So far that seems >> to >> be the case, but I'm not all the way there yet. >> >> Any thoughts or suggestions on a better path? This is a first step for us >> - >> I'm sure we'll evaluate and reconsider after it's implemented. >> >> Thank you - Richard >> >> >> >> -- >> View this message in context: >> http://shiro-user.582556.n2.nabble.com/Implementing-strong-password-hashing-with-Shiro-and-Openldap-tp7579496p7579498.html >> Sent from the Shiro User mailing list archive at Nabble.com. >> > >
