...
In order to demonstrate how to write an interceptor, here is a simple but realistic example. The following requirement should be fulfilled by an interceptor.
- no No user passwords password should be stored in the directory in clear text in the directory.
To be more concrete:
- If a userpassword is set by an LDAP client in clear plain text, a message digest algorithm should be applied to the value, and the one-way encrypted value should be stored
- the algorithm should be applied if new entries are created or existing entries are modified (hence modify and add operations will be intercepted)
- If the value given by the client is already provided in hashed form, nothing happens, and the given value is tored in the directory without modification
The sources
Currently, the sources are checked in here
...
The class HashTools contains two simple methods w.r.t. hashing. isAlreadyHashed detects whether a value has already been hashed with a known message digest algorithm. applyHashAlgorithm applies a hash algorithm to a sequence of bytes. See the source code and the unit tests of this class for details, it has not that much todo to do with the interceptor stuff.
...
| Code Block |
|---|
dn: cn=Kate Bush,ou=users,ou=system objectClass: person objectClass: top cn: Kate Bush sn: Bush |
Afterwards Then we add a new attribute userPassword in the entry editor. For the value, a special editor appears:
...
Afterwards, the value for userPassword is not "secret", but the MD5 digested value of it.
Kate Bush is still cabable capable of authenticating with the password "secret", because Apache Directory server Server supports storing passwords hashed with this algorithm.
Limitations of the example
TBD.