directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Emmanuel Lecharny (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (DIRSERVER-2179) Password hashing interceptor - password history entries are not hashed
Date Wed, 26 Jun 2019 09:13:00 GMT

    [ https://issues.apache.org/jira/browse/DIRSERVER-2179?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16873123#comment-16873123
] 

Emmanuel Lecharny commented on DIRSERVER-2179:
----------------------------------------------

Here is the thing: the Password Policy may need to check the password quality, which means
your password must be sent in clear text to the server. Then the server will not know which
hash method to use to store the password.

May be using the {{PaswwordHashing}} interceptor could do the trick ? Will test that.

> Password hashing interceptor - password history entries are not hashed
> ----------------------------------------------------------------------
>
>                 Key: DIRSERVER-2179
>                 URL: https://issues.apache.org/jira/browse/DIRSERVER-2179
>             Project: Directory ApacheDS
>          Issue Type: Bug
>          Components: ppolicy
>            Reporter: Dmitry Smeliansky
>            Priority: Major
>
> Hi.
> In order to use the server-side password policy validation - we have to pass the passwords
as plaintext and not hashed by the client.
> Password hashing interceptor hashes the passwords according to the configuration, BUT
- the new added pwdHistory entry will contain the plaintext value of the password.
> Is there any way to have the password policy validation on the server and the  hashed
password to be saved in the history at the same time?
> Thanks



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@directory.apache.org
For additional commands, e-mail: dev-help@directory.apache.org


Mime
View raw message