You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@directory.apache.org by brock samson <br...@hotmail.com> on 2015/06/08 23:24:04 UTC
config partition as JdbmPartition
i am running apacheds2-M19 as embedded with some custom interceptors. up to this point, i have been using SingleFileLdifPartition to load my config.ldif file. since it loads the config.ldif before DefaultDirectoryService.start(), i am also able to manually set the interceptors via DefaultDirectoryService.setInterceptors() before the start as well. what i do not like about it is that it requires the config.ldif file to be on the disk in clear text, which is a security risk in my opinion. what i would like is for the config partition to look like all other partitions (i.e. system partition), which is a collection of .db and .lg files. i am able to accomplish that by using JdbmPartition class, but i cannot successfully load the config.ldif file via new LdifFileLoader(DefaultDirectoryService.getAdminSession(), config.ldif, null).execute() until after DefaultDirectoryService.start(), which makes it too late to set interceptors. is there a way to have config partition as JdbmPartition AND load its config.ldif before starting the service? or is there a another way to not have config.ldif on the disk in clear text? thanks!
Re: config partition as JdbmPartition
Posted by Kiran Ayyagari <ka...@apache.org>.
On Tue, Jun 9, 2015 at 12:24 PM, Michael Perelman <
mikhail_perelman@hotmail.com> wrote:
> i agree that access to such file would indicate a much larger security
> problem. nevertheless, security files of such nature should not be sitting
> around on the disk. other partition do not since they are in the form of a
> JdbmPartition, and neither should this one. all the passwords are already
> hashed, so that is not my concern. my concern are all the password policies
> that are defined within it, both OOTB ones, as well as the additional
> custom ones i created for my own interceptor. so is there a way to load a
> config.ldif into a JdbmPartition BEFORE starting directory service? thank
> you!
>
it is not supported by the server at the moment, cause the preferred
approach is to let users
edit the config file.
Having said that, the only way is to make this happen is to change the way
server is initialized in your
code, it is "doable", and should be easy to get it done.
>
> > Date: Tue, 9 Jun 2015 11:21:46 +0800
> > Subject: Re: config partition as JdbmPartition
> > From: kayyagari@apache.org
> > To: users@directory.apache.org
> >
> > On Tue, Jun 9, 2015 at 5:24 AM, brock samson <br...@hotmail.com>
> > wrote:
> >
> > > i am running apacheds2-M19 as embedded with some custom interceptors.
> up
> > > to this point, i have been using SingleFileLdifPartition to load my
> > > config.ldif file. since it loads the config.ldif before
> > > DefaultDirectoryService.start(), i am also able to manually set the
> > > interceptors via DefaultDirectoryService.setInterceptors() before the
> start
> > > as well. what i do not like about it is that it requires the
> config.ldif
> > > file to be on the disk in clear text, which is a security risk in my
> > > opinion. what i would like is for the config partition to
> >
> > is your concern about clear text passwords in config.ldif? if yes, the
> just
> > turn them into salted hashes
> > other than this I don't see any other security issues with having config
> in
> > plain text. (If someone managed
> > to reach this far to access your config file then there is a much bigger
> > hole in the network/system ;)
> >
> > look like all other partitions (i.e. system partition), which is a
> > > collection of .db and .lg files. i am able to accomplish that by using
> > > JdbmPartition class, but i cannot successfully load the config.ldif
> file
> > > via new LdifFileLoader(DefaultDirectoryService.getAdminSession(),
> > > config.ldif, null).execute() until after
> DefaultDirectoryService.start(),
> > > which makes it too late to set interceptors. is there a way to have
> config
> > > partition as JdbmPartition AND load its config.ldif before starting the
> > > service? or is there a another way to not have config.ldif on the disk
> in
> > > clear text? thanks!
> >
> > no, it is not possible to have this config loaded into any other
> partition
> > type
> >
> >
> >
> > --
> > Kiran Ayyagari
> > http://keydap.com
>
>
--
Kiran Ayyagari
http://keydap.com
RE: config partition as JdbmPartition
Posted by Michael Perelman <mi...@hotmail.com>.
i agree that access to such file would indicate a much larger security problem. nevertheless, security files of such nature should not be sitting around on the disk. other partition do not since they are in the form of a JdbmPartition, and neither should this one. all the passwords are already hashed, so that is not my concern. my concern are all the password policies that are defined within it, both OOTB ones, as well as the additional custom ones i created for my own interceptor. so is there a way to load a config.ldif into a JdbmPartition BEFORE starting directory service? thank you!
> Date: Tue, 9 Jun 2015 11:21:46 +0800
> Subject: Re: config partition as JdbmPartition
> From: kayyagari@apache.org
> To: users@directory.apache.org
>
> On Tue, Jun 9, 2015 at 5:24 AM, brock samson <br...@hotmail.com>
> wrote:
>
> > i am running apacheds2-M19 as embedded with some custom interceptors. up
> > to this point, i have been using SingleFileLdifPartition to load my
> > config.ldif file. since it loads the config.ldif before
> > DefaultDirectoryService.start(), i am also able to manually set the
> > interceptors via DefaultDirectoryService.setInterceptors() before the start
> > as well. what i do not like about it is that it requires the config.ldif
> > file to be on the disk in clear text, which is a security risk in my
> > opinion. what i would like is for the config partition to
>
> is your concern about clear text passwords in config.ldif? if yes, the just
> turn them into salted hashes
> other than this I don't see any other security issues with having config in
> plain text. (If someone managed
> to reach this far to access your config file then there is a much bigger
> hole in the network/system ;)
>
> look like all other partitions (i.e. system partition), which is a
> > collection of .db and .lg files. i am able to accomplish that by using
> > JdbmPartition class, but i cannot successfully load the config.ldif file
> > via new LdifFileLoader(DefaultDirectoryService.getAdminSession(),
> > config.ldif, null).execute() until after DefaultDirectoryService.start(),
> > which makes it too late to set interceptors. is there a way to have config
> > partition as JdbmPartition AND load its config.ldif before starting the
> > service? or is there a another way to not have config.ldif on the disk in
> > clear text? thanks!
>
> no, it is not possible to have this config loaded into any other partition
> type
>
>
>
> --
> Kiran Ayyagari
> http://keydap.com
Re: config partition as JdbmPartition
Posted by Kiran Ayyagari <ka...@apache.org>.
On Tue, Jun 9, 2015 at 5:24 AM, brock samson <br...@hotmail.com>
wrote:
> i am running apacheds2-M19 as embedded with some custom interceptors. up
> to this point, i have been using SingleFileLdifPartition to load my
> config.ldif file. since it loads the config.ldif before
> DefaultDirectoryService.start(), i am also able to manually set the
> interceptors via DefaultDirectoryService.setInterceptors() before the start
> as well. what i do not like about it is that it requires the config.ldif
> file to be on the disk in clear text, which is a security risk in my
> opinion. what i would like is for the config partition to
is your concern about clear text passwords in config.ldif? if yes, the just
turn them into salted hashes
other than this I don't see any other security issues with having config in
plain text. (If someone managed
to reach this far to access your config file then there is a much bigger
hole in the network/system ;)
look like all other partitions (i.e. system partition), which is a
> collection of .db and .lg files. i am able to accomplish that by using
> JdbmPartition class, but i cannot successfully load the config.ldif file
> via new LdifFileLoader(DefaultDirectoryService.getAdminSession(),
> config.ldif, null).execute() until after DefaultDirectoryService.start(),
> which makes it too late to set interceptors. is there a way to have config
> partition as JdbmPartition AND load its config.ldif before starting the
> service? or is there a another way to not have config.ldif on the disk in
> clear text? thanks!
no, it is not possible to have this config loaded into any other partition
type
--
Kiran Ayyagari
http://keydap.com
Re: config partition as JdbmPartition
Posted by Emmanuel Lécharny <el...@gmail.com>.
Le 08/06/15 23:24, brock samson a écrit :
> i am running apacheds2-M19 as embedded with some custom interceptors. up to this point, i have been using SingleFileLdifPartition to load my config.ldif file. since it loads the config.ldif before DefaultDirectoryService.start(), i am also able to manually set the interceptors via DefaultDirectoryService.setInterceptors() before the start as well. what i do not like about it is that it requires the config.ldif file to be on the disk in clear text, which is a security risk in my opinion.
Encrypt your disk. This is way safer than using anything like JDBM,
which is not crypted anyway.