[jira] Updated: (DIRSERVER-610) Need to simplify process for changing admin password

[Emmanuel Lecharny (JIRA)]

     [ 
https://issues.apache.org/jira/browse/DIRSERVER-610?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Emmanuel Lecharny updated DIRSERVER-610:
----------------------------------------

    Affects Version/s:     (was: 1.0-RC1)
                       1.0.2
                       1.5.0
        Fix Version/s: 1.0.3
                       1.5.2

Endi is right.

We need to find a better way to handle the admin password.

> Need to simplify process for changing admin password
> ----------------------------------------------------
>
>                 Key: DIRSERVER-610
>                 URL: https://issues.apache.org/jira/browse/DIRSERVER-610
>             Project: Directory ApacheDS
>          Issue Type: Improvement
>          Components: core
>    Affects Versions: 1.0.2, 1.5.0
>            Reporter: Endi S. Dewata
>             Fix For: 1.5.2, 1.0.3
>
>
> As described in 
> http://directory.apache.org/subprojects/apacheds/docs/users/authentication.html,
>  currently to change admin password you need to perform 2 steps: ldapmodify 
> and then change server.xml. While the functionality works just fine, this has 
> become a usability issue in both stand-alone and embedded mode as the admin 
> user is required to maintain the same passwords stored in 2 different 
> locations. Eventhough requiring a password in server.xml might prevent 
> unauthorized user from starting the server, it's also a security risk because 
> the password is stored in plain text and probably cannot be encrypted because 
> it needs to be validated against the one stored in the backend.
> Several alternatives:
> 1. Automatically modify server.xml when the admin password is changed via 
> ldapmodify. However, if the user changed server.xml manually it will become 
> unsynchronized. Also, in embedded mode this might not work because the config 
> might not be stored in server.xml.
> 2. Store the admin password (or just the hash value) in the configuration 
> file only (server.xml) as in OpenLDAP. When the admin user binds, the 
> password will be validated against this hash value.
> 3. Store the admin password in the backend storage only along with other 
> users' passwords. This might be the simplest solution because it's already 
> been implemented.
> Related issue:
>  - http://jira.safehaus.org/browse/PENROSE-142

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.