Re: Authentication using encryption

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

Note that LDAPv2 simple authentication uses clear text passwords
regardless of how the password is stored.  And one should be
careful in classifying storage using one-way hash algorithms.
Though some algorithms are of cryptographic strength, the
algorithms are not ciphers.

It also should be noted the stored value (a hash of the password)
should be protected as if it were clear text.  This protects
against a number of attacks and any flaw in the design/implementation
of the hash algorithm.

I strongly recommend use of SSL (via a wrapper) and/or Kerberos
when using LDAPv2.  When using LDAPv3, DIGEST-MD5 or better should
be used.

(OpenLDAP 1.x, of course, implements LDAPv2++)

At 10:13 AM 7/18/00 +0200, Janni Fikouras wrote:
>  Hi, I am currently developing an adress database based on openldap and the
>Netscape Java ldap SDK version 4. Everything has been going smoothly all in
>all other than a recent problem that I have encountered concerning
>password management.
>
>  Authentication in cleartext as wel las i.e. {crypt} works fine, changing 
>the "userpassword" attribute in order to assign a cleartext value is also
>no problem. My question is how do I tell the directory that I want the
>cleartext value I give it converted into lets say {crypt} ? Or do I have
>to do stuff like that in the application ?

userPassword is a user attribute (as opposed to an operational
attribute).  User meaning that it's the client responsibility to
maintain it.  1.2 provides no server side generation mechanism,
but does provide a client, ldappasswd, which may be used to
generate RFC2307 userPassword values.

The FAQ provides additional information on how to generate RFC2307
passwords (which have been recently updated).