[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#7612) {CLEARTEXT} password scheme broken

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#7612) {CLEARTEXT} password scheme broken
From: Kurt@OpenLDAP.org
Date: Mon, 3 Jun 2013 18:46:31 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

On May 31, 2013, at 2:38 AM, wferi@niif.hu wrote:

> Full_Name: Ferenc Wágner
> Version: 2.4.31
> OS: Debian GNU/Linux squeeze
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (86.101.52.7)
> 
> 
> I'm trying to store the hypothetical password "{SSHA}" in cleartext, but
> slappasswd refuses to help:
> 
> $ /usr/sbin/slappasswd -s {SSHA} -h {CLEARTEXT}
> Password verification failed.
> 
> On #openldap hbf suggested that I file an ITS ("work" in the following means
> allowing binding):
> 
> hbf: Looks like {CLEARTEXT} itself is broken.  I think "userPassword:
> {CLEARTEXT}secret" should work, and so that slappasswd -h {CLEARTEXT} -s secret
> can output {CLEARTEXT}secret and userPassword: {CLEARTEXT}{SSHA} would be
> valid.
> 
> As I agree with him, here it is.
> 

Not a bug... 

Clear text passwords appear in userPassword without any RFC 2307 scheme, as in

userPassword: secret

not:

userPassword: {CLEARTEXT}secret

A cleartext password of {SSHA} is disallowed for what should be obvious reasons.

-- Kurt

Prev by Date: Re: (ITS#7614) Markup error in slapd.conf.5
Next by Date: Re: (ITS#7612) {CLEARTEXT} password scheme broken
Index(es):
- Chronological
- Thread