SEC-1135: No support for LDAP {md5} encryption scheme #1384

Closed
spring-issuemaster opened this Issue Apr 9, 2009 · 2 comments

1 participant

@spring-issuemaster

errorken (Migrated from SEC-1135) said:

LDAP (at least openLDAP, but I assume its a standard) prefixes encrypted passwords in the userPassword field with the encryption used.
If you are doing password comparison, it will fail if you do not prefix the user password with the encryption.
In spring you can therefore choose {sha} as the encryption type instead of sha.

However, there is no md5 equivalent (there is no {md5}) so now its not possible to do the password comparison with md5 out of the box.

@spring-issuemaster

Luke Taylor said:

it’s true we don’t support this, however MD5 use is relatively rare compared with SHA or SSHA and is largely confined to legacy systems. It should be trivial to implement, so feel free to upload a patch and we will consider it for addition to the codebase.

@spring-issuemaster

Luke Taylor said:

This isn't something we are likely to get round to resourcing. MD5 is rarely used compared with SHA and SSHA and would not be chosen as a preference. If it's a feature you really want to see please submit a patch and we'll consider adding it to the codebase.

@spring-issuemaster spring-issuemaster added this to the 3.0.0 RC1 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment