You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@directory.apache.org by "Andreas Oberritter (JIRA)" <ji...@apache.org> on 2010/08/13 21:39:19 UTC

[jira] Created: (DIRSERVER-1540) Login possible using password hash

Login possible using password hash
----------------------------------

                 Key: DIRSERVER-1540
                 URL: https://issues.apache.org/jira/browse/DIRSERVER-1540
             Project: Directory ApacheDS
          Issue Type: Bug
          Components: ldap
    Affects Versions: 2.0.0-RC1
            Reporter: Andreas Oberritter
             Fix For: 2.0.0-RC1


from IRC:

file: core/src/main/java/org/apache/directory/server/core/authn/SimpleAuthenticator.java
method: public LdapPrincipal authenticate( BindOperationContext bindContext )

you can see a code block starting with:

         // Short circuit for PLAIN TEXT passwords : we compare the byte array directly
         // Are the passwords equal ?
         if ( Arrays.equals( credentials, storedPassword ) )

i think you should move this block to the algorithm == null case some lines below

the test case would be:
1) store a password with any hashed algorithm.
2) base64 decode it.
3) use the result to bind to the ldap server


-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Closed: (DIRSERVER-1540) Login possible using password hash

Posted by "Kiran Ayyagari (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/DIRSERVER-1540?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Kiran Ayyagari closed DIRSERVER-1540.
-------------------------------------

      Assignee: Kiran Ayyagari
    Resolution: Fixed

Fixed here http://svn.apache.org/viewvc?rev=985854&view=rev

> Login possible using password hash
> ----------------------------------
>
>                 Key: DIRSERVER-1540
>                 URL: https://issues.apache.org/jira/browse/DIRSERVER-1540
>             Project: Directory ApacheDS
>          Issue Type: Bug
>          Components: ldap
>    Affects Versions: 2.0.0-RC1
>            Reporter: Andreas Oberritter
>            Assignee: Kiran Ayyagari
>             Fix For: 2.0.0-RC1
>
>
> from IRC:
> file: core/src/main/java/org/apache/directory/server/core/authn/SimpleAuthenticator.java
> method: public LdapPrincipal authenticate( BindOperationContext bindContext )
> you can see a code block starting with:
>          // Short circuit for PLAIN TEXT passwords : we compare the byte array directly
>          // Are the passwords equal ?
>          if ( Arrays.equals( credentials, storedPassword ) )
> i think you should move this block to the algorithm == null case some lines below
> the test case would be:
> 1) store a password with any hashed algorithm.
> 2) base64 decode it.
> 3) use the result to bind to the ldap server

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.