Uploaded image for project: 'OpenDJ'
  1. OpenDJ
  2. OPENDJ-6737

Provide a means for client applications to determine which authentication mechanism are supported for a given user

    Details

    • Type: New Feature
    • Status: Dev backlog
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 7.0.0
    • Fix Version/s: None
    • Component/s: security
    • Labels:
      None

      Description

      Certain privileged client applications should be able to determine what authentication mechanisms are supported for a given user. In particular:

      • SASL DIGEST-MD5/CRAM-MD5 both require passwords to be stored in a reversible format (note that these mechanisms are deprecated)
      • SASL SCRAM mechanisms require passwords to be stored as SCRAM credentials. SCRAM-SHA-256 requires credentials to be stored using the SCRAM-SHA-256 storage scheme, likewise SCRAM-SHA-512 requires credentials to be stored using the SCRAM-SHA-512 storage scheme
      • simple username/password mechanisms are storage scheme agnostic.

      This information could be exposed in the user's entry using a virtual attribute. The privileged application will first query it before determining which auth mechanism to use. Note that client applications must take care not to accidentally disclose existence of the underlying user.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              matthew Matthew Swift
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated: