[ http://issues.apache.org/jira/browse/DIRSERVER-261?page=all ] Stefan Zoerner closed DIRSERVER-261: ------------------------------------
Alex created a new item which describes the missing functionality of this issue: DIRSERVER-289. Therefore I close this one. > Storing user passwords other than in clear > ------------------------------------------ > > Key: DIRSERVER-261 > URL: http://issues.apache.org/jira/browse/DIRSERVER-261 > Project: Directory ApacheDS > Type: New Feature > Versions: pre-1.0 > Reporter: Stefan Zoerner > Assignee: Stefan Zoerner > Priority: Blocker > Fix For: 1.0-RC1 > > Because the admin user is allowed to see everything, I suggest to store the > attribute values for user password other than in clear. I nice solution would > be to make this configurable (other server products allow comparable > functionality): > * Configure a hash function to use for password storage (e.g. MD5, SSHA, ...) > * Allow clients to store the value as a hashed value on their own as well > (calculated with a function other than the configured one, if they like) > * Enable simple bind with value in clear text (hash value calculated within > the server and compared against the stored value) > * Still allow clear passwords, because some authentication mechanisms need > this (e.g. DIGEST-MD5) > Hashed values does not add that much security, but at least is is harder for > admin to catch a password and commit it to his/her memory. > Some products even allow to encrypt the password (two-way), but I think the > features above should do for the first run. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
