[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: userPassword: {UNIX}uid [was: Authentication with UNIX username/password (ITS#212)]

To: Julio Sanchez <j_sanchez@stl.es>
Subject: Re: userPassword: {UNIX}uid [was: Authentication with UNIX username/password (ITS#212)]
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Sat, 26 Jun 1999 15:15:28 -0700
Cc: openldap-devel@OpenLDAP.org
In-reply-to: <ue9096r85q.fsf@rama.dhis.org>
References: <"Kurt D. Zeilenga"'s message of "Sat, 26 Jun 1999 12:35:16 -0700"> <3.0.5.32.19990626123516.0097a2c0@localhost>

At 10:58 PM 6/26/99 +0200, Julio Sanchez wrote:
>"Kurt D. Zeilenga" <Kurt@OpenLDAP.org> writes:
>> 	userPassword: {UNIX}uid
>I don't know...  A user that can change this to point to some other
>uid can then use slapd to crack that other uid password.

I actually think {UNIX} is safer than {CRYPT}.  It doesn't
expose the hash.  In fact, the administrator can disable
write access to the userPassword attribute to self!

Anyways, --disable-crypt turns this and {CRYPT} support off...

Would be nice if the slapd configuration support of userPassword
methods (and server side generation):
  passwordAttribute	userPassword
  passwordAllow	SSHA SMD5 SHA MD5
  passwordGenerate	SSHA

And, of course, a mechanism to completely disable userPassword
support in favor of (working) Kerberos V support.

Contributions welcomed...

Kurt

References:
- userPassword: {UNIX}uid [was: Authentication with UNIX username/password (ITS#212)]
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: userPassword: {UNIX}uid [was: Authentication with UNIX username/password (ITS#212)]
  - From: Julio Sanchez <j_sanchez@stl.es>

Prev by Date: Re: userPassword: {UNIX}uid [was: Authentication with UNIX username/password (ITS#212)]
Next by Date: Limited LDAPv3 client side support committed
Index(es):
- Chronological
- Thread