[ http://issues.apache.org/jira/brows...ER-261?page=all ]

Stefan Zoerner closed DIRSERVER-261:
------------------------------------


Alex created a new item which describes the missing functionality of this is
sue: DIRSERVER-289. Therefore I close this one.

> Storing user passwords other than in clear
> ------------------------------------------
>
>          Key: DIRSERVER-261
>          URL: http://issues.apache.org/jira/browse/DIRSERVER-261
>      Project: Directory ApacheDS
>         Type: New Feature

>     Versions: pre-1.0
>     Reporter: Stefan Zoerner
>     Assignee: Stefan Zoerner
>     Priority: Blocker
>      Fix For: 1.0-RC1

>
> Because the admin user is allowed to see everything, I suggest to store th
e attribute values for user password other than in clear. I nice solution wo
uld be to make this configurable (other server products allow comparable fun
ctionality):
> * Configure a hash function to use for password storage (e.g. MD5, SSHA, .
.)
> * Allow clients to store the value as a hashed value on their own as well 
(calculated with a function other than the configured one, if they like)
> * Enable simple bind with value in clear text (hash value calculated withi
n the server and compared against the stored value)
> * Still allow clear passwords, because some authentication mechanisms need
 this (e.g. DIGEST-MD5)
> Hashed values does not add that much security, but at least is is harder f
or admin to catch a password and commit it to his/her memory.
> Some products even allow to encrypt the password (two-way), but I think the featur
es above should do for the first run.

--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secur...nistrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira

[ Post a follow-up to this message ]