OpenLDAP
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

Viewing Contrib/4366
Full headers

From: paolo.meschi@gmail.com
Subject: userPassword compare fix
Compose comment
Download message
State:
0 replies:
3 followups: 1 2 3

Major security issue: yes  no

Notes:

Notification:


Date: Tue, 24 Jan 2006 15:50:42 GMT
From: paolo.meschi@gmail.com
To: openldap-its@OpenLDAP.org
Subject: userPassword compare fix
Full_Name: Paolo Meschi
Version: 2.X HEAD
OS: Linux
URL: http://www.paolomeschi.com/patches/openldap/openldap-userpassword-compare.patch
Submission from: (NULL) (82.60.63.158)


Trying to compare the userPassword attribute, that contains a crypted password
(like this: {crypt}qWe2pXud183), with the cleartext password, OpenLDAP returned
me LDAP_COMPARE_FALSE. However, if I put a cleartext password in userPassword,
it returns LDAP_COMPARE_TRUE.
So, as I can see OpenLDAP doesn't crypt (with the proper function) the password
passed by the client before compare it, as many other LDAP servers (like Sun
Directory Services) do.

This patch should fix this behaviour: 
http://www.paolomeschi.com/patches/openldap/openldap-userpassword-compare.patch

(A copy of this mail has been sent to the devel mailing list)


Followup 1

Download message
Date: Sat, 28 Jan 2006 18:13:34 +0100
From: "Oni (Paolo Meschi)" <paolo.meschi@gmail.com>
To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#4366) userPassword compare fix
As suggested I trasformed the patch into an overlay. It can be found
at this address:

http://www.paolomeschi.com/openldap/pwcompare.c



Followup 2

Download message
Date: Sun, 29 Jan 2006 20:22:23 +0100
From: "Oni (Paolo Meschi)" <paolo.meschi@gmail.com>
To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#4366) userPassword compare fix
A fixed version, that include the "hash-compare" configuration option
and a README file, can be found there:

http://www.paolomeschi.com/openldap/pwcompare.tar.gz



Followup 3

Download message
Date: Fri, 14 Dec 2007 19:50:32 -0800
From: Howard Chu <hyc@symas.com>
To: openldap-its@openldap.org
Subject: ITS#4366 userPassword compare
I think this is in general a bad idea. It's already noted as such in the 
README, which is fine. The code generally looks pretty good, although it would 
need to be updated for cn=config support. Does anyone else see a reason to 
integrate this and get it working with cn=config?
-- 
   -- Howard Chu
   Chief Architect, Symas Corp.  http://www.symas.com
   Director, Highland Sun        http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP     http://www.openldap.org/project/


Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest


The OpenLDAP Issue Tracking System uses a hacked version of JitterBug

______________
© Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org