Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-1135: No support for LDAP {md5} encryption scheme #1384

spring-issuemaster opened this Issue Apr 9, 2009 · 2 comments


None yet
1 participant
from SEC-1135) said:

LDAP (at least openLDAP, but I assume its a standard) prefixes encrypted passwords in the userPassword field with the encryption used.
If you are doing password comparison, it will fail if you do not prefix the user password with the encryption.
In spring you can therefore choose {sha} as the encryption type instead of sha.

However, there is no md5 equivalent (there is no {md5}) so now its not possible to do the password comparison with md5 out of the box.

Luke Taylor said:

it’s true we don’t support this, however MD5 use is relatively rare compared with SHA or SSHA and is largely confined to legacy systems. It should be trivial to implement, so feel free to upload a patch and we will consider it for addition to the codebase.

Luke Taylor said:

This isn't something we are likely to get round to resourcing. MD5 is rarely used compared with SHA and SSHA and would not be chosen as a preference. If it's a feature you really want to see please submit a patch and we'll consider adding it to the codebase.

@spring-issuemaster spring-issuemaster added this to the 3.0.0 RC1 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment