Re: Schema: encrypted 8-bit userPassword and SASLprep

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 07:02 AM 9/12/2003, Hallvard B Furuseth wrote:
>Kurt D. Zeilenga writes:
>>At 04:09 AM 9/12/2003, Hallvard B Furuseth wrote:
>>>[Schema] 2.41 (userPassword) says:
>>>
>>>   The application SHOULD prepare textual strings used as passwords
>>>   by transcoding them to Unicode, applying SASLprep [SASLprep], and
>>>   encoding as UTF-8.
>> 
>> s/application/client/
>> 
>> The intent here was to recommend that clients prepare textual
>> passwords before storing them or using them (to improve
>> interoperability).
>
>Huh?  If clients do that but servers don't, the passwords won't match.

userPassword values are matched with octetStringMatch.
If client A stores a string into userPassword and
client B asserts that the attribute contains a string,
that assertion will be True if and only those strings
are, octet-wise, the same.  The preparation ensures that
equivalent user inputted textual strings of characters
are treated as being equivalent.

>> Note that it is not a mandate.  It is a recommendation.
>
>Sure, but if implementations follow that recommendation, sites with
>servers using Unix /etc/passwd passwords are in trouble.  Unless they
>also follow a recommendation to allow this to be turned off.

I don't see how 2.41 of [Schema] applies to passwords not
held in userPassword.  ([AuthMeth] requirements might apply,
but you specifically referenced 2.41 of [Schema].)

Kurt