[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL and PAM based password changing

To: Norbert Klasen <norbert.klasen@daasi.de>
Subject: Re: SASL and PAM based password changing
From: "Carl J Meyer" <carljm@goshen.edu>
Date: Fri, 8 Feb 2002 22:34:04 -0500 (EST)
Cc: Shanker Balan <shanu@exocore.com>, OpenLDAP-Software <openldap-software@OpenLDAP.org>
In-reply-to: <245161623.1013178736@localhost>

On Fri, 8 Feb 2002, Norbert Klasen wrote:
> --On Donnerstag, 7. Februar 2002 19:44 +0530 Shanker Balan 
> <shanu@exocore.com> wrote:
> 
> > Correct. Hmm... so what purpose does the OpenLDAP "extended operations"
> > serve?
> 
> The "Password Modify Extended Operation" (see RFC 3062) has been defined to 
> create a standard way for updating a user's password. As currently 
> implemented in OpenLDAP, it will automatically hash the password before 
> storing it in the userPassword attribute type.

It seems to me that, given a choice, I would on principle rather
have PAM hash the password BEFORE transmission to the LDAP server (which I
can do with pam_password <algorithm>) rather than having the server do the
hash after sending the password cleartext.  I guess if I care about
security I'm of course using SSL anyways, but still... Why would I want to
use the password change exop when PAM handles things
just beautifully without it?

Carl

Follow-Ups:
- Re: SASL and PAM based password changing
  - From: Norbert Klasen <norbert.klasen@daasi.de>

References:
- Re: SASL and PAM based password changing
  - From: Norbert Klasen <norbert.klasen@daasi.de>

Prev by Date: named referrals
Next by Date: extensible matching rule problem
Index(es):
- Chronological
- Thread