Les, I've actually got the Shiro real working - with either SSHA or SSHA256. But not looks like either of the ldap server's built-in bind functions do not allow you to specify how many hash iterations to compute, only the algorithm to use. So I guess that means I just do an LDAP search instead of a bind and do the matching in my realm logic.
Or am I missing something? Thanks! Sent from my iPhone > On Jan 13, 2014, at 16:20, Les Hazlewood <[email protected]> wrote: > > Hi Richard, > > If I understand correctly, your challenge is that you want to configure the > LDAP server of choice to compute SSHA256? And then to have Shiro read in > that record, look at the hashed value and then do the comparison? > > Best, > > Les > >> On Mon, Jan 13, 2014 at 8:54 AM, rnmixon <[email protected]> wrote: >> A bit more info ... >> >> We are putting together a small outward facing portal - implementing an LDAP >> directory is part of that effort (we use Microsoft AD for internal users). >> >> At this point we've written the PHP plugin for our Wordpress site to >> authenticate external partners via the LDAP directory and internal >> users/employees using our Microsoft Active Directory. I'm doing the same for >> the two Java applications that need to be integrated. >> >> Currently, I'm trying to meet a new requirement I received last week to use >> SSHA256 instead of SSHA and to use a high number of hashing iterations as >> Les' article suggested. >> >> In theory Openldap can do this using the sha2 plugin, but it's been slow >> getting it to work - after quite a few years it has not been included in the >> base product's plugin set - and there appear to be some philosophical wars >> as to whether more advanced hashes can or should be included in the core >> product plugins. >> >> So at this point I've allocated a day (today) to look at the Fedora 389 >> Directory Server and see if it offers a smoother path. So far that seems to >> be the case, but I'm not all the way there yet. >> >> Any thoughts or suggestions on a better path? This is a first step for us - >> I'm sure we'll evaluate and reconsider after it's implemented. >> >> Thank you - Richard >> >> >> >> -- >> View this message in context: >> http://shiro-user.582556.n2.nabble.com/Implementing-strong-password-hashing-with-Shiro-and-Openldap-tp7579496p7579498.html >> Sent from the Shiro User mailing list archive at Nabble.com. >
