I would like to propose an idea that will help improve the security of
DS password storage for new installations and their future upgrades.
I would like to change the default value of passwordStorageScheme to a
type called DEFAULT.
The implementation of DEFAULT would be an interface to the "current best
practice storage mechanism of this release of directory server".
This way sites that want to customise their hash types can. Sites that
"install and forget" will gain a strong password storage mechanism out
of the box.
Additionally, we can *change* the DEFAULT mapping in releases as we have
better and stronger hashes, or as we learn and get better advice on
their security. This way, users who "install and forget" are continually
moving forwards with their security as they upgrade versions. When user
passwords are changed in their systems, they are updated to the newer
I think this would be a trivial feature to implement and add, and I
think that the net increase in security for administrators and accounts
on their system is huge.
Is this something we would like to pursue?
Red Hat, Brisbane