Re: Schema: encrypted 8-bit userPassword and SASLprep

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 04:09 AM 9/12/2003, Hallvard B Furuseth wrote:
>[Schema] 2.41 (userPassword) says:
>
>   The application SHOULD prepare textual strings used as passwords
>   by transcoding them to Unicode, applying SASLprep [SASLprep], and
>   encoding as UTF-8.

s/application/client/

The intent here was to recommend that clients prepare textual
passwords before storing them or using them (to improve
interoperability).

Note that it is not a mandate.  It is a recommendation.

Kurt

>This is incompatible with passwords written in 8-bit character sets and
>stored encrypted in files that cannot easily be decrypted, e.g. Unix
>/etc/passwd files.  Since the server does not know the plaintext
>passwords, it cannot prepare them as above.
>
>Well, in some cases the server could convert the bind passwords back
>from UTF-8 to a locally configured character set.  But I think that's an
>ugly hack, and an impossible one on multi-charset sites (or rather,
>servers that serve several different sites on one campus that have
>different default character sets.)  I don't want the standard to mandate
>that.
>
>So I suggest this is added:
>
>   The application SHOULD also provide an option to turn off such
>   preparation of passwords.
>
>The alternative would be to force sites as above to write their own
>applications, which is not always feasible.  We can hardly expect them
>to write their own version of Netscape, for example.
>
>-- 
>Hallvard