You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by "Andreas Oberritter (JIRA)" <ji...@apache.org> on 2010/08/13 21:39:19 UTC
[jira] Created: (DIRSERVER-1540) Login possible using password hash
Login possible using password hash
----------------------------------
Key: DIRSERVER-1540
URL: https://issues.apache.org/jira/browse/DIRSERVER-1540
Project: Directory ApacheDS
Issue Type: Bug
Components: ldap
Affects Versions: 2.0.0-RC1
Reporter: Andreas Oberritter
Fix For: 2.0.0-RC1
from IRC:
file: core/src/main/java/org/apache/directory/server/core/authn/SimpleAuthenticator.java
method: public LdapPrincipal authenticate( BindOperationContext bindContext )
you can see a code block starting with:
// Short circuit for PLAIN TEXT passwords : we compare the byte array directly
// Are the passwords equal ?
if ( Arrays.equals( credentials, storedPassword ) )
i think you should move this block to the algorithm == null case some lines below
the test case would be:
1) store a password with any hashed algorithm.
2) base64 decode it.
3) use the result to bind to the ldap server
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Closed: (DIRSERVER-1540) Login possible using password hash
Posted by "Kiran Ayyagari (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSERVER-1540?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Kiran Ayyagari closed DIRSERVER-1540.
-------------------------------------
Assignee: Kiran Ayyagari
Resolution: Fixed
Fixed here http://svn.apache.org/viewvc?rev=985854&view=rev
> Login possible using password hash
> ----------------------------------
>
> Key: DIRSERVER-1540
> URL: https://issues.apache.org/jira/browse/DIRSERVER-1540
> Project: Directory ApacheDS
> Issue Type: Bug
> Components: ldap
> Affects Versions: 2.0.0-RC1
> Reporter: Andreas Oberritter
> Assignee: Kiran Ayyagari
> Fix For: 2.0.0-RC1
>
>
> from IRC:
> file: core/src/main/java/org/apache/directory/server/core/authn/SimpleAuthenticator.java
> method: public LdapPrincipal authenticate( BindOperationContext bindContext )
> you can see a code block starting with:
> // Short circuit for PLAIN TEXT passwords : we compare the byte array directly
> // Are the passwords equal ?
> if ( Arrays.equals( credentials, storedPassword ) )
> i think you should move this block to the algorithm == null case some lines below
> the test case would be:
> 1) store a password with any hashed algorithm.
> 2) base64 decode it.
> 3) use the result to bind to the ldap server
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.