You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by "Norval Hope (JIRA)" <ji...@apache.org> on 2007/01/08 02:55:27 UTC
[jira] Created: (DIRSERVER-817) SimpleAuthenticator ehancements,
inclduing support for one-way hash for admin password in server.xml
SimpleAuthenticator ehancements, inclduing support for one-way hash for admin password in server.xml
----------------------------------------------------------------------------------------------------
Key: DIRSERVER-817
URL: https://issues.apache.org/jira/browse/DIRSERVER-817
Project: Directory ApacheDS
Issue Type: Improvement
Components: core
Affects Versions: 1.0, 1.5.0
Environment: N/A
Reporter: Norval Hope
Currently persistent storage of passwords as one-way hashes is supported for partitions, but the admin password appears as cleartext in server.xml. I am submitting a patch that allows a one-way hash to be used in server.xml to protect the admin passord. Unfortunately if a user wants both of these features at the same time:
a) one-way hashes used for password persistently stored in AD partition AND
b) one-way hash used for admin password in server.xml
then SimpleAuthenticator has to accept one-way hashes for both "userPassword" (persistently stored value) and "creds" (password provided in bind, which takes text from server.xml in the case where front-end of server authenticates to back-end in org.apache.directory.server.core.jndi.ServerContext) and compare them literally when both are one-way hashed. This effectively results in the password being in cleartext (or more exactly a cleartext alias) in server.xml again, but in a form that might put off potential hackers (a very big "might"). Hence end-users really end up choosing between option a) OR b) above.
Also included in the patch is support I needed to get an inflexible legacy client to talk to AD. As AD doesn't support changing the DN of the admin users, and the client didn't support changing of the bind DN it used, I added a simple "java.naming.security.principal.alias" property which allowed specification of an alias for AD's admin user's DN.
Not sure how much interest any of this to anyone else, but thought I'd raise a JIRA about the cleartext password in server.xml and may the patch available in case. The root problem seems to be the fairly strange way the the AD front-end needs the admin password from server.xml to bind to the back-end.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (DIRSERVER-817) SimpleAuthenticator ehancements,
including support for one-way hash for admin password in server.xml
Posted by "Stefan Zoerner (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSERVER-817?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12483502 ]
Stefan Zoerner commented on DIRSERVER-817:
------------------------------------------
>From my point of view, accepting one-way-encrypted password values in a bind request is a security risk. If someone has the opportunity to fetch the encrypted passwords for user entries (from an LDIF export for instance), s/he van simply bind to the server without knowing the real password.
This taken, the advantage of storing the passwords one-way encrypted would be much smaller.
> SimpleAuthenticator ehancements, including support for one-way hash for admin password in server.xml
> ----------------------------------------------------------------------------------------------------
>
> Key: DIRSERVER-817
> URL: https://issues.apache.org/jira/browse/DIRSERVER-817
> Project: Directory ApacheDS
> Issue Type: Improvement
> Components: core
> Affects Versions: 1.5.0, 1.0
> Environment: N/A
> Reporter: Norval Hope
> Fix For: 1.5.1
>
> Attachments: simpleauth.patch
>
>
> Currently persistent storage of passwords as one-way hashes is supported for partitions, but the admin password appears as cleartext in server.xml. I am submitting a patch that allows a one-way hash to be used in server.xml to protect the admin passord. Unfortunately if a user wants both of these features at the same time:
> a) one-way hashes used for password persistently stored in AD partition AND
> b) one-way hash used for admin password in server.xml
> then SimpleAuthenticator has to accept one-way hashes for both "userPassword" (persistently stored value) and "creds" (password provided in bind, which takes text from server.xml in the case where front-end of server authenticates to back-end in org.apache.directory.server.core.jndi.ServerContext) and compare them literally when both are one-way hashed. This effectively results in the password being in cleartext (or more exactly a cleartext alias) in server.xml again, but in a form that might put off potential hackers (a very big "might"). Hence end-users really end up choosing between option a) OR b) above.
> Also included in the patch is support I needed to get an inflexible legacy client to talk to AD. As AD doesn't support changing the DN of the admin users, and the client didn't support changing of the bind DN it used, I added a simple "java.naming.security.principal.alias" property which allowed specification of an alias for AD's admin user's DN.
> Not sure how much interest any of this to anyone else, but thought I'd raise a JIRA about the cleartext password in server.xml and may the patch available in case. The root problem seems to be the fairly strange way the the AD front-end needs the admin password from server.xml to bind to the back-end.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (DIRSERVER-817) SimpleAuthenticator ehancements,
including support for one-way hash for admin password in server.xml
Posted by "Norval Hope (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSERVER-817?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12483508 ]
Norval Hope commented on DIRSERVER-817:
---------------------------------------
Certainly see your point about the dangers of accepting one-way-encrypted passwords, as then the hash effectively becomes the clear text password.
However, I think there must be some way to avoid both
a) accepting one-way hashes in bind requests and
b) having a clear text password in server.xml.
I seem to remember someone on the list mentioning OpenLDAP uses a scheme (hope my memory and paraphrasing are right) where the configured password in server.xml becomes irrelevant as soon as a password is persisted in the system partition, which seems a reasonable approach to me (although I'm by no means an expert - just don't like clear-text passwords in config files :-) .
> SimpleAuthenticator ehancements, including support for one-way hash for admin password in server.xml
> ----------------------------------------------------------------------------------------------------
>
> Key: DIRSERVER-817
> URL: https://issues.apache.org/jira/browse/DIRSERVER-817
> Project: Directory ApacheDS
> Issue Type: Improvement
> Components: core
> Affects Versions: 1.5.0, 1.0
> Environment: N/A
> Reporter: Norval Hope
> Fix For: 1.5.1
>
> Attachments: simpleauth.patch
>
>
> Currently persistent storage of passwords as one-way hashes is supported for partitions, but the admin password appears as cleartext in server.xml. I am submitting a patch that allows a one-way hash to be used in server.xml to protect the admin passord. Unfortunately if a user wants both of these features at the same time:
> a) one-way hashes used for password persistently stored in AD partition AND
> b) one-way hash used for admin password in server.xml
> then SimpleAuthenticator has to accept one-way hashes for both "userPassword" (persistently stored value) and "creds" (password provided in bind, which takes text from server.xml in the case where front-end of server authenticates to back-end in org.apache.directory.server.core.jndi.ServerContext) and compare them literally when both are one-way hashed. This effectively results in the password being in cleartext (or more exactly a cleartext alias) in server.xml again, but in a form that might put off potential hackers (a very big "might"). Hence end-users really end up choosing between option a) OR b) above.
> Also included in the patch is support I needed to get an inflexible legacy client to talk to AD. As AD doesn't support changing the DN of the admin users, and the client didn't support changing of the bind DN it used, I added a simple "java.naming.security.principal.alias" property which allowed specification of an alias for AD's admin user's DN.
> Not sure how much interest any of this to anyone else, but thought I'd raise a JIRA about the cleartext password in server.xml and may the patch available in case. The root problem seems to be the fairly strange way the the AD front-end needs the admin password from server.xml to bind to the back-end.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (DIRSERVER-817) SimpleAuthenticator ehancements,
including support for one-way hash for admin password in server.xml
Posted by "Emmanuel Lecharny (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSERVER-817?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12483512 ]
Emmanuel Lecharny commented on DIRSERVER-817:
---------------------------------------------
The best solution would be to ask the admin for a password when installling ADS (either in the GUI installer or in CL). As the password is stored into the system partition, it's enough to provide an empty password in the packages.
> SimpleAuthenticator ehancements, including support for one-way hash for admin password in server.xml
> ----------------------------------------------------------------------------------------------------
>
> Key: DIRSERVER-817
> URL: https://issues.apache.org/jira/browse/DIRSERVER-817
> Project: Directory ApacheDS
> Issue Type: Improvement
> Components: core
> Affects Versions: 1.5.0, 1.0
> Environment: N/A
> Reporter: Norval Hope
> Fix For: 1.5.1
>
> Attachments: simpleauth.patch
>
>
> Currently persistent storage of passwords as one-way hashes is supported for partitions, but the admin password appears as cleartext in server.xml. I am submitting a patch that allows a one-way hash to be used in server.xml to protect the admin passord. Unfortunately if a user wants both of these features at the same time:
> a) one-way hashes used for password persistently stored in AD partition AND
> b) one-way hash used for admin password in server.xml
> then SimpleAuthenticator has to accept one-way hashes for both "userPassword" (persistently stored value) and "creds" (password provided in bind, which takes text from server.xml in the case where front-end of server authenticates to back-end in org.apache.directory.server.core.jndi.ServerContext) and compare them literally when both are one-way hashed. This effectively results in the password being in cleartext (or more exactly a cleartext alias) in server.xml again, but in a form that might put off potential hackers (a very big "might"). Hence end-users really end up choosing between option a) OR b) above.
> Also included in the patch is support I needed to get an inflexible legacy client to talk to AD. As AD doesn't support changing the DN of the admin users, and the client didn't support changing of the bind DN it used, I added a simple "java.naming.security.principal.alias" property which allowed specification of an alias for AD's admin user's DN.
> Not sure how much interest any of this to anyone else, but thought I'd raise a JIRA about the cleartext password in server.xml and may the patch available in case. The root problem seems to be the fairly strange way the the AD front-end needs the admin password from server.xml to bind to the back-end.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (DIRSERVER-817) SimpleAuthenticator ehancements,
including support for one-way hash for admin password in server.xml
Posted by "Norval Hope (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSERVER-817?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Norval Hope updated DIRSERVER-817:
----------------------------------
Attachment: simpleauth.patch
> SimpleAuthenticator ehancements, including support for one-way hash for admin password in server.xml
> ----------------------------------------------------------------------------------------------------
>
> Key: DIRSERVER-817
> URL: https://issues.apache.org/jira/browse/DIRSERVER-817
> Project: Directory ApacheDS
> Issue Type: Improvement
> Components: core
> Affects Versions: 1.5.0, 1.0
> Environment: N/A
> Reporter: Norval Hope
> Attachments: simpleauth.patch
>
>
> Currently persistent storage of passwords as one-way hashes is supported for partitions, but the admin password appears as cleartext in server.xml. I am submitting a patch that allows a one-way hash to be used in server.xml to protect the admin passord. Unfortunately if a user wants both of these features at the same time:
> a) one-way hashes used for password persistently stored in AD partition AND
> b) one-way hash used for admin password in server.xml
> then SimpleAuthenticator has to accept one-way hashes for both "userPassword" (persistently stored value) and "creds" (password provided in bind, which takes text from server.xml in the case where front-end of server authenticates to back-end in org.apache.directory.server.core.jndi.ServerContext) and compare them literally when both are one-way hashed. This effectively results in the password being in cleartext (or more exactly a cleartext alias) in server.xml again, but in a form that might put off potential hackers (a very big "might"). Hence end-users really end up choosing between option a) OR b) above.
> Also included in the patch is support I needed to get an inflexible legacy client to talk to AD. As AD doesn't support changing the DN of the admin users, and the client didn't support changing of the bind DN it used, I added a simple "java.naming.security.principal.alias" property which allowed specification of an alias for AD's admin user's DN.
> Not sure how much interest any of this to anyone else, but thought I'd raise a JIRA about the cleartext password in server.xml and may the patch available in case. The root problem seems to be the fairly strange way the the AD front-end needs the admin password from server.xml to bind to the back-end.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Closed: (DIRSERVER-817) SimpleAuthenticator ehancements,
including support for one-way hash for admin password in server.xml
Posted by "Alex Karasulu (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSERVER-817?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alex Karasulu closed DIRSERVER-817.
-----------------------------------
Resolution: Fixed
The admin password is not longer in the server.xml file.
> SimpleAuthenticator ehancements, including support for one-way hash for admin password in server.xml
> ----------------------------------------------------------------------------------------------------
>
> Key: DIRSERVER-817
> URL: https://issues.apache.org/jira/browse/DIRSERVER-817
> Project: Directory ApacheDS
> Issue Type: Improvement
> Components: core
> Affects Versions: 1.5.1, 1.5.0, 1.0.2, 1.0.1, 1.0
> Environment: N/A
> Reporter: Norval Hope
> Fix For: 1.5.4
>
> Attachments: simpleauth.patch
>
>
> Currently persistent storage of passwords as one-way hashes is supported for partitions, but the admin password appears as cleartext in server.xml. I am submitting a patch that allows a one-way hash to be used in server.xml to protect the admin passord. Unfortunately if a user wants both of these features at the same time:
> a) one-way hashes used for password persistently stored in AD partition AND
> b) one-way hash used for admin password in server.xml
> then SimpleAuthenticator has to accept one-way hashes for both "userPassword" (persistently stored value) and "creds" (password provided in bind, which takes text from server.xml in the case where front-end of server authenticates to back-end in org.apache.directory.server.core.jndi.ServerContext) and compare them literally when both are one-way hashed. This effectively results in the password being in cleartext (or more exactly a cleartext alias) in server.xml again, but in a form that might put off potential hackers (a very big "might"). Hence end-users really end up choosing between option a) OR b) above.
> Also included in the patch is support I needed to get an inflexible legacy client to talk to AD. As AD doesn't support changing the DN of the admin users, and the client didn't support changing of the bind DN it used, I added a simple "java.naming.security.principal.alias" property which allowed specification of an alias for AD's admin user's DN.
> Not sure how much interest any of this to anyone else, but thought I'd raise a JIRA about the cleartext password in server.xml and may the patch available in case. The root problem seems to be the fairly strange way the the AD front-end needs the admin password from server.xml to bind to the back-end.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (DIRSERVER-817) SimpleAuthenticator ehancements,
including support for one-way hash for admin password in server.xml
Posted by "Alex Karasulu (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSERVER-817?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alex Karasulu updated DIRSERVER-817:
------------------------------------
Fix Version/s: (was: 1.5.3)
1.5.4
> SimpleAuthenticator ehancements, including support for one-way hash for admin password in server.xml
> ----------------------------------------------------------------------------------------------------
>
> Key: DIRSERVER-817
> URL: https://issues.apache.org/jira/browse/DIRSERVER-817
> Project: Directory ApacheDS
> Issue Type: Improvement
> Components: core
> Affects Versions: 1.5.1, 1.5.0, 1.0.2, 1.0.1, 1.0
> Environment: N/A
> Reporter: Norval Hope
> Fix For: 1.5.4
>
> Attachments: simpleauth.patch
>
>
> Currently persistent storage of passwords as one-way hashes is supported for partitions, but the admin password appears as cleartext in server.xml. I am submitting a patch that allows a one-way hash to be used in server.xml to protect the admin passord. Unfortunately if a user wants both of these features at the same time:
> a) one-way hashes used for password persistently stored in AD partition AND
> b) one-way hash used for admin password in server.xml
> then SimpleAuthenticator has to accept one-way hashes for both "userPassword" (persistently stored value) and "creds" (password provided in bind, which takes text from server.xml in the case where front-end of server authenticates to back-end in org.apache.directory.server.core.jndi.ServerContext) and compare them literally when both are one-way hashed. This effectively results in the password being in cleartext (or more exactly a cleartext alias) in server.xml again, but in a form that might put off potential hackers (a very big "might"). Hence end-users really end up choosing between option a) OR b) above.
> Also included in the patch is support I needed to get an inflexible legacy client to talk to AD. As AD doesn't support changing the DN of the admin users, and the client didn't support changing of the bind DN it used, I added a simple "java.naming.security.principal.alias" property which allowed specification of an alias for AD's admin user's DN.
> Not sure how much interest any of this to anyone else, but thought I'd raise a JIRA about the cleartext password in server.xml and may the patch available in case. The root problem seems to be the fairly strange way the the AD front-end needs the admin password from server.xml to bind to the back-end.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (DIRSERVER-817) SimpleAuthenticator ehancements,
including support for one-way hash for admin password in server.xml
Posted by "Norval Hope (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSERVER-817?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Norval Hope updated DIRSERVER-817:
----------------------------------
Summary: SimpleAuthenticator ehancements, including support for one-way hash for admin password in server.xml (was: SimpleAuthenticator ehancements, inclduing support for one-way hash for admin password in server.xml)
> SimpleAuthenticator ehancements, including support for one-way hash for admin password in server.xml
> ----------------------------------------------------------------------------------------------------
>
> Key: DIRSERVER-817
> URL: https://issues.apache.org/jira/browse/DIRSERVER-817
> Project: Directory ApacheDS
> Issue Type: Improvement
> Components: core
> Affects Versions: 1.5.0, 1.0
> Environment: N/A
> Reporter: Norval Hope
>
> Currently persistent storage of passwords as one-way hashes is supported for partitions, but the admin password appears as cleartext in server.xml. I am submitting a patch that allows a one-way hash to be used in server.xml to protect the admin passord. Unfortunately if a user wants both of these features at the same time:
> a) one-way hashes used for password persistently stored in AD partition AND
> b) one-way hash used for admin password in server.xml
> then SimpleAuthenticator has to accept one-way hashes for both "userPassword" (persistently stored value) and "creds" (password provided in bind, which takes text from server.xml in the case where front-end of server authenticates to back-end in org.apache.directory.server.core.jndi.ServerContext) and compare them literally when both are one-way hashed. This effectively results in the password being in cleartext (or more exactly a cleartext alias) in server.xml again, but in a form that might put off potential hackers (a very big "might"). Hence end-users really end up choosing between option a) OR b) above.
> Also included in the patch is support I needed to get an inflexible legacy client to talk to AD. As AD doesn't support changing the DN of the admin users, and the client didn't support changing of the bind DN it used, I added a simple "java.naming.security.principal.alias" property which allowed specification of an alias for AD's admin user's DN.
> Not sure how much interest any of this to anyone else, but thought I'd raise a JIRA about the cleartext password in server.xml and may the patch available in case. The root problem seems to be the fairly strange way the the AD front-end needs the admin password from server.xml to bind to the back-end.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Updated: (DIRSERVER-817) SimpleAuthenticator ehancements,
including support for one-way hash for admin password in server.xml
Posted by "Emmanuel Lecharny (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSERVER-817?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Emmanuel Lecharny updated DIRSERVER-817:
----------------------------------------
Fix Version/s: (was: 1.5.2)
1.5.3
We will have to address this issue in the next release ...
> SimpleAuthenticator ehancements, including support for one-way hash for admin password in server.xml
> ----------------------------------------------------------------------------------------------------
>
> Key: DIRSERVER-817
> URL: https://issues.apache.org/jira/browse/DIRSERVER-817
> Project: Directory ApacheDS
> Issue Type: Improvement
> Components: core
> Affects Versions: 1.5.1, 1.0.2, 1.0.1, 1.5.0, 1.0
> Environment: N/A
> Reporter: Norval Hope
> Fix For: 1.5.3
>
> Attachments: simpleauth.patch
>
>
> Currently persistent storage of passwords as one-way hashes is supported for partitions, but the admin password appears as cleartext in server.xml. I am submitting a patch that allows a one-way hash to be used in server.xml to protect the admin passord. Unfortunately if a user wants both of these features at the same time:
> a) one-way hashes used for password persistently stored in AD partition AND
> b) one-way hash used for admin password in server.xml
> then SimpleAuthenticator has to accept one-way hashes for both "userPassword" (persistently stored value) and "creds" (password provided in bind, which takes text from server.xml in the case where front-end of server authenticates to back-end in org.apache.directory.server.core.jndi.ServerContext) and compare them literally when both are one-way hashed. This effectively results in the password being in cleartext (or more exactly a cleartext alias) in server.xml again, but in a form that might put off potential hackers (a very big "might"). Hence end-users really end up choosing between option a) OR b) above.
> Also included in the patch is support I needed to get an inflexible legacy client to talk to AD. As AD doesn't support changing the DN of the admin users, and the client didn't support changing of the bind DN it used, I added a simple "java.naming.security.principal.alias" property which allowed specification of an alias for AD's admin user's DN.
> Not sure how much interest any of this to anyone else, but thought I'd raise a JIRA about the cleartext password in server.xml and may the patch available in case. The root problem seems to be the fairly strange way the the AD front-end needs the admin password from server.xml to bind to the back-end.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (DIRSERVER-817) SimpleAuthenticator ehancements,
including support for one-way hash for admin password in server.xml
Posted by "Alex Karasulu (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSERVER-817?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alex Karasulu updated DIRSERVER-817:
------------------------------------
Fix Version/s: (was: 1.5.1)
1.5.2
Affects Version/s: 1.5.1
1.0.2
1.0.1
> SimpleAuthenticator ehancements, including support for one-way hash for admin password in server.xml
> ----------------------------------------------------------------------------------------------------
>
> Key: DIRSERVER-817
> URL: https://issues.apache.org/jira/browse/DIRSERVER-817
> Project: Directory ApacheDS
> Issue Type: Improvement
> Components: core
> Affects Versions: 1.5.1, 1.0.2, 1.0.1, 1.5.0, 1.0
> Environment: N/A
> Reporter: Norval Hope
> Fix For: 1.5.2
>
> Attachments: simpleauth.patch
>
>
> Currently persistent storage of passwords as one-way hashes is supported for partitions, but the admin password appears as cleartext in server.xml. I am submitting a patch that allows a one-way hash to be used in server.xml to protect the admin passord. Unfortunately if a user wants both of these features at the same time:
> a) one-way hashes used for password persistently stored in AD partition AND
> b) one-way hash used for admin password in server.xml
> then SimpleAuthenticator has to accept one-way hashes for both "userPassword" (persistently stored value) and "creds" (password provided in bind, which takes text from server.xml in the case where front-end of server authenticates to back-end in org.apache.directory.server.core.jndi.ServerContext) and compare them literally when both are one-way hashed. This effectively results in the password being in cleartext (or more exactly a cleartext alias) in server.xml again, but in a form that might put off potential hackers (a very big "might"). Hence end-users really end up choosing between option a) OR b) above.
> Also included in the patch is support I needed to get an inflexible legacy client to talk to AD. As AD doesn't support changing the DN of the admin users, and the client didn't support changing of the bind DN it used, I added a simple "java.naming.security.principal.alias" property which allowed specification of an alias for AD's admin user's DN.
> Not sure how much interest any of this to anyone else, but thought I'd raise a JIRA about the cleartext password in server.xml and may the patch available in case. The root problem seems to be the fairly strange way the the AD front-end needs the admin password from server.xml to bind to the back-end.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (DIRSERVER-817) SimpleAuthenticator ehancements,
including support for one-way hash for admin password in server.xml
Posted by "Emmanuel Lecharny (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSERVER-817?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12483505 ]
Emmanuel Lecharny commented on DIRSERVER-817:
---------------------------------------------
I think we should just summarize all the Password issue discussions and define a kind of specification about what should be implemented in 1.5.1. The good point is that Enrique is going to commit all it's SASL code as soon as 1.5.0 will be out, and this is also one of the reason we want to release this 1.5.0 : to be able to inject more features like SASL in this tagged version.
someone can add or update a page on confluence where all these passwords issues can ba discussed ?
> SimpleAuthenticator ehancements, including support for one-way hash for admin password in server.xml
> ----------------------------------------------------------------------------------------------------
>
> Key: DIRSERVER-817
> URL: https://issues.apache.org/jira/browse/DIRSERVER-817
> Project: Directory ApacheDS
> Issue Type: Improvement
> Components: core
> Affects Versions: 1.5.0, 1.0
> Environment: N/A
> Reporter: Norval Hope
> Fix For: 1.5.1
>
> Attachments: simpleauth.patch
>
>
> Currently persistent storage of passwords as one-way hashes is supported for partitions, but the admin password appears as cleartext in server.xml. I am submitting a patch that allows a one-way hash to be used in server.xml to protect the admin passord. Unfortunately if a user wants both of these features at the same time:
> a) one-way hashes used for password persistently stored in AD partition AND
> b) one-way hash used for admin password in server.xml
> then SimpleAuthenticator has to accept one-way hashes for both "userPassword" (persistently stored value) and "creds" (password provided in bind, which takes text from server.xml in the case where front-end of server authenticates to back-end in org.apache.directory.server.core.jndi.ServerContext) and compare them literally when both are one-way hashed. This effectively results in the password being in cleartext (or more exactly a cleartext alias) in server.xml again, but in a form that might put off potential hackers (a very big "might"). Hence end-users really end up choosing between option a) OR b) above.
> Also included in the patch is support I needed to get an inflexible legacy client to talk to AD. As AD doesn't support changing the DN of the admin users, and the client didn't support changing of the bind DN it used, I added a simple "java.naming.security.principal.alias" property which allowed specification of an alias for AD's admin user's DN.
> Not sure how much interest any of this to anyone else, but thought I'd raise a JIRA about the cleartext password in server.xml and may the patch available in case. The root problem seems to be the fairly strange way the the AD front-end needs the admin password from server.xml to bind to the back-end.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (DIRSERVER-817) SimpleAuthenticator ehancements,
including support for one-way hash for admin password in server.xml
Posted by "Norval Hope (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSERVER-817?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12483503 ]
Norval Hope commented on DIRSERVER-817:
---------------------------------------
Certainly no need to hold up 1.5.0 for it. This issue perhaps throws up some points for discussion more then providing a patch of interest for al AD users.
> SimpleAuthenticator ehancements, including support for one-way hash for admin password in server.xml
> ----------------------------------------------------------------------------------------------------
>
> Key: DIRSERVER-817
> URL: https://issues.apache.org/jira/browse/DIRSERVER-817
> Project: Directory ApacheDS
> Issue Type: Improvement
> Components: core
> Affects Versions: 1.5.0, 1.0
> Environment: N/A
> Reporter: Norval Hope
> Fix For: 1.5.1
>
> Attachments: simpleauth.patch
>
>
> Currently persistent storage of passwords as one-way hashes is supported for partitions, but the admin password appears as cleartext in server.xml. I am submitting a patch that allows a one-way hash to be used in server.xml to protect the admin passord. Unfortunately if a user wants both of these features at the same time:
> a) one-way hashes used for password persistently stored in AD partition AND
> b) one-way hash used for admin password in server.xml
> then SimpleAuthenticator has to accept one-way hashes for both "userPassword" (persistently stored value) and "creds" (password provided in bind, which takes text from server.xml in the case where front-end of server authenticates to back-end in org.apache.directory.server.core.jndi.ServerContext) and compare them literally when both are one-way hashed. This effectively results in the password being in cleartext (or more exactly a cleartext alias) in server.xml again, but in a form that might put off potential hackers (a very big "might"). Hence end-users really end up choosing between option a) OR b) above.
> Also included in the patch is support I needed to get an inflexible legacy client to talk to AD. As AD doesn't support changing the DN of the admin users, and the client didn't support changing of the bind DN it used, I added a simple "java.naming.security.principal.alias" property which allowed specification of an alias for AD's admin user's DN.
> Not sure how much interest any of this to anyone else, but thought I'd raise a JIRA about the cleartext password in server.xml and may the patch available in case. The root problem seems to be the fairly strange way the the AD front-end needs the admin password from server.xml to bind to the back-end.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (DIRSERVER-817) SimpleAuthenticator ehancements,
including support for one-way hash for admin password in server.xml
Posted by "Emmanuel Lecharny (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSERVER-817?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Emmanuel Lecharny updated DIRSERVER-817:
----------------------------------------
Fix Version/s: 1.5.1
What about including this patch in the next version ?
> SimpleAuthenticator ehancements, including support for one-way hash for admin password in server.xml
> ----------------------------------------------------------------------------------------------------
>
> Key: DIRSERVER-817
> URL: https://issues.apache.org/jira/browse/DIRSERVER-817
> Project: Directory ApacheDS
> Issue Type: Improvement
> Components: core
> Affects Versions: 1.5.0, 1.0
> Environment: N/A
> Reporter: Norval Hope
> Fix For: 1.5.1
>
> Attachments: simpleauth.patch
>
>
> Currently persistent storage of passwords as one-way hashes is supported for partitions, but the admin password appears as cleartext in server.xml. I am submitting a patch that allows a one-way hash to be used in server.xml to protect the admin passord. Unfortunately if a user wants both of these features at the same time:
> a) one-way hashes used for password persistently stored in AD partition AND
> b) one-way hash used for admin password in server.xml
> then SimpleAuthenticator has to accept one-way hashes for both "userPassword" (persistently stored value) and "creds" (password provided in bind, which takes text from server.xml in the case where front-end of server authenticates to back-end in org.apache.directory.server.core.jndi.ServerContext) and compare them literally when both are one-way hashed. This effectively results in the password being in cleartext (or more exactly a cleartext alias) in server.xml again, but in a form that might put off potential hackers (a very big "might"). Hence end-users really end up choosing between option a) OR b) above.
> Also included in the patch is support I needed to get an inflexible legacy client to talk to AD. As AD doesn't support changing the DN of the admin users, and the client didn't support changing of the bind DN it used, I added a simple "java.naming.security.principal.alias" property which allowed specification of an alias for AD's admin user's DN.
> Not sure how much interest any of this to anyone else, but thought I'd raise a JIRA about the cleartext password in server.xml and may the patch available in case. The root problem seems to be the fairly strange way the the AD front-end needs the admin password from server.xml to bind to the back-end.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (DIRSERVER-817) SimpleAuthenticator ehancements,
including support for one-way hash for admin password in server.xml
Posted by "Emmanuel Lecharny (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSERVER-817?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12490536 ]
Emmanuel Lecharny commented on DIRSERVER-817:
---------------------------------------------
After having worked on the SimpleAuthenticator, and regarding the evolutions we will implement in the way the configuration will be handled, I think that storing the password in the server.xml file is really a security breach.
We should simply store the password (encrypted) into the server when creating the packages, up to the user to change it when he first start the server. May be the installer should ask for another password, otherwize the installation will abort.
> SimpleAuthenticator ehancements, including support for one-way hash for admin password in server.xml
> ----------------------------------------------------------------------------------------------------
>
> Key: DIRSERVER-817
> URL: https://issues.apache.org/jira/browse/DIRSERVER-817
> Project: Directory ApacheDS
> Issue Type: Improvement
> Components: core
> Affects Versions: 1.5.0, 1.0
> Environment: N/A
> Reporter: Norval Hope
> Fix For: 1.5.1
>
> Attachments: simpleauth.patch
>
>
> Currently persistent storage of passwords as one-way hashes is supported for partitions, but the admin password appears as cleartext in server.xml. I am submitting a patch that allows a one-way hash to be used in server.xml to protect the admin passord. Unfortunately if a user wants both of these features at the same time:
> a) one-way hashes used for password persistently stored in AD partition AND
> b) one-way hash used for admin password in server.xml
> then SimpleAuthenticator has to accept one-way hashes for both "userPassword" (persistently stored value) and "creds" (password provided in bind, which takes text from server.xml in the case where front-end of server authenticates to back-end in org.apache.directory.server.core.jndi.ServerContext) and compare them literally when both are one-way hashed. This effectively results in the password being in cleartext (or more exactly a cleartext alias) in server.xml again, but in a form that might put off potential hackers (a very big "might"). Hence end-users really end up choosing between option a) OR b) above.
> Also included in the patch is support I needed to get an inflexible legacy client to talk to AD. As AD doesn't support changing the DN of the admin users, and the client didn't support changing of the bind DN it used, I added a simple "java.naming.security.principal.alias" property which allowed specification of an alias for AD's admin user's DN.
> Not sure how much interest any of this to anyone else, but thought I'd raise a JIRA about the cleartext password in server.xml and may the patch available in case. The root problem seems to be the fairly strange way the the AD front-end needs the admin password from server.xml to bind to the back-end.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.