i agree that access to such file would indicate a much larger security problem. nevertheless, security files of such nature should not be sitting around on the disk. other partition do not since they are in the form of a JdbmPartition, and neither should this one. all the passwords are already hashed, so that is not my concern. my concern are all the password policies that are defined within it, both OOTB ones, as well as the additional custom ones i created for my own interceptor. so is there a way to load a config.ldif into a JdbmPartition BEFORE starting directory service? thank you!
> Date: Tue, 9 Jun 2015 11:21:46 +0800 > Subject: Re: config partition as JdbmPartition > From: [email protected] > To: [email protected] > > On Tue, Jun 9, 2015 at 5:24 AM, brock samson <[email protected]> > wrote: > > > i am running apacheds2-M19 as embedded with some custom interceptors. up > > to this point, i have been using SingleFileLdifPartition to load my > > config.ldif file. since it loads the config.ldif before > > DefaultDirectoryService.start(), i am also able to manually set the > > interceptors via DefaultDirectoryService.setInterceptors() before the start > > as well. what i do not like about it is that it requires the config.ldif > > file to be on the disk in clear text, which is a security risk in my > > opinion. what i would like is for the config partition to > > is your concern about clear text passwords in config.ldif? if yes, the just > turn them into salted hashes > other than this I don't see any other security issues with having config in > plain text. (If someone managed > to reach this far to access your config file then there is a much bigger > hole in the network/system ;) > > look like all other partitions (i.e. system partition), which is a > > collection of .db and .lg files. i am able to accomplish that by using > > JdbmPartition class, but i cannot successfully load the config.ldif file > > via new LdifFileLoader(DefaultDirectoryService.getAdminSession(), > > config.ldif, null).execute() until after DefaultDirectoryService.start(), > > which makes it too late to set interceptors. is there a way to have config > > partition as JdbmPartition AND load its config.ldif before starting the > > service? or is there a another way to not have config.ldif on the disk in > > clear text? thanks! > > no, it is not possible to have this config loaded into any other partition > type > > > > -- > Kiran Ayyagari > http://keydap.com
