Re: Compare-Request on hashed userPassword

[Dan White <dwhite@olp.net>]

On 29/09/11 17:51 +0200, Buchan Milne wrote:
> On Wednesday, 28 September 2011 16:24:35 Dan White wrote:
> > We had a similar problem where Sun ILOM requires userPassword to be in a
> > Solaris compatible crypt format. We created a custom attribute, called
> > cryptedUserPassword, and populate it for the users that need access to the
> > device. Then we make use of slapd-relay and slapo-rwm, to present
> > cryptedUserPassword as userPassword when our relayed tree
> > (dc=example,dc=net,dc=ilom) is queried.
>
> What benefit is this over having the userPassword be in CRYPT? In either case,
> you're exposing weak passwords to a specific account. If an attacker could
> gain access to userPassword, most likely they have easier access to the
> cryptedUserPassword attribtue?
>
> Yes, we have the same problem (but, this seems to be about the only really
> irritating misfeature of the ILOM, compared to the manifold problems of HP
> iLO).
>
> And yes, I would much rather find an avenue to escalate this to Sun/Oracle
> ....

Do you mean?

userPassword: {CRYPT}$1$...

Presumably that would fail since ILOM is requesting userPassword and
comparing it locally, and would balk at the '{CRYPT}' substring.

I have the same ACLs configured for both userPassword and
cryptedUserPassword (custom attribute).

I don't have a business relationship with Oracle to open a ticket. Does
anyone have a point of contact at Oracle to submit feature requests to?

--
Dan White