Simple bind, if user's password is stored one-way encrypted (DIREVE-296)
Web Server forum
Back To The Forum Home!Search!Private Messaging System
Visit your User Control Panel!Register your FREE username now!Visit Our Calendar!View the Member List!Faqs!Search our Forums!

Web Server Talk Web Server Talk > Web Servers reviews > Apache Server configuration support > Apache Directory Project > Simple bind, if user's password is stored one-way encrypted (DIREVE-296)




  Last Thread   Next Thread Next
  Show Printable Version Email this Page Subscribe to this Thread      Post New Thread    Post A Reply      

    Simple bind, if user's password is stored one-way encrypted (DIREVE-296)  
Stefan Zoerner


View Ip Address Report This Message To A Moderator Edit/Delete Message


 
11-22-05 10:45 PM

Hi all!

In order to start the implementation of DIREVE-296 I made a minor change
to class SimpleAuthenticator in org.apache.ldap.server.authn. If a user
password is stored as a hash value, the authenticator now applies the
same algorithm to the provided password, and compares it to the stored
message digest.

The component supports all algorithms known to
java.security.MessageDigest, e.g. SHA and MD5.

Example: Create an entry like this, with a hashed password ("scarlet" in
this case, with SHA applied):

dn: cn=Tori Amos,dc=example,dc=com
sn: Amos
objectClass: person
objectClass: top
cn: Tori Amos
userPassword: {SHA}W8/gDnKpQb8xodYl5BnNeruhcgM=

Although the pwd is stored one-way encrypted, the user is still able to
bind with the password in clear:

$ ldapsearch -p 10389 -b "dc=example,dc=com" -s sub -D "cn=Tori
Amos,dc=example,dc=com" -w scarlet  (sn=Amos) dn
cn=Tori Amos,dc=example,dc=com
$ ldapsearch -p 10389 -b "dc=example,dc=com" -s sub -D "cn=Tori
Amos,dc=example,dc=com" -w scarle  (sn=Amos) dn
ldap_simple_bind: Invalid credentials

One advantage is that an admin user (or any other) is not able to see
the stored passwords in clear text. Further on LDIF exports do not
expose clear passwords.

*** Notes ***

(1) If passwords are stored in clear, the behavior of the class is
unaffected.

(2) Security is not significantly increased, because if one knows the
digested value, s/he may be able to find out the password with a brute
force attack (digest algorithms are both public and fast). But it is a
feature most LDAP servers support, and we made good experiences with it
in practice.

(3) The server does not automatically store passwords as hash values
(yet). We may easily achieve this by adding functionality to a new or
existing interceptor. I dream of a PasswordStorageInterceptor, which may
also perform configurable syntax checks (minimum complexity etc.), but
we may also do this after the 1.0 release ...

(4) If you wish to store a user's password as a hash, and like UI tools,
you may use one of these clients:
* Softerra LDAP Administrator
* LDAP Browser/Editor 2.8.2 (Jarek Gawor).
Both offer to calculate the hash value of the password before submission
to the server.

Suggestions for improvements are welcome.
Greetings from Hamburg,
Stefan




[ Post a follow-up to this message ]



    Sponsored Links  




 



   All times are GMT. The time now is 05:20 PM.      Post New Thread    Post A Reply      
  Last Thread   Next Thread Next


Most Popular forums 
Apache Server MySQL for Windows Sendmail
Red Hat Networking SuSe Linux Debian Linux
FreeBSD administration Sun Solaris administration Unix Shell programming
WebSphere Portal Server Exchange 2000 administration PostgreSQL administration
Linux Security Computer Security Firewalls

Forum Jump:
Rate This Thread:

Forum Rules:
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts 		HTML code is OFF
vB code is ON
Smilies are ON
[IMG] code is OFF
 
Medical and Health forum | Computer Games Reviews | Graphics design forum

Back To The Top
Home | Usercp | Faq | Register