[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: userPassword question

To: Chris Newman <Chris.Newman@INNOSOFT.COM>
Subject: Re: userPassword question
From: Andreas Berger <aberger@darmstadt.gmd.de>
Date: Wed, 29 Jul 1998 10:21:30 +0200
Cc: IETF LDAP Extensions WG <ietf-ldapext@netscape.com>
References: <Pine.SOL.3.95.980728170125.26353P-100000@elwood.innosoft.com>
Resent-date: Wed, 29 Jul 1998 01:20:21 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"0UdMi1.0.u-6.2jjlr"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

Chris Newman wrote:
> 
> On Fri, 24 Jul 1998, Bob Bick wrote:
> > <HTML>
> > From a newbie...
> >
> > <P>When I retrieve an LDAP attribute value for the "userPassword" attribute,
> > the attribute value appears to be encrypted (probably a good thing). However,
> > I would like to compare the userPassword with the actual password.
> 
> Isn't it a violation of RFC 2256 to have the value of the userPassword
> attribute encrypted in a way that is visible to the protocol?  Or is my
> inexperience with LDAP showing?
> 
>                 - Chris
It may be a violation to store the password encrypted, but I think the
problem lies deeper. First of all, a password stored in the UNIX "crypt"
style cannot be "decrypted" (unless you mount an exhaustive search or a
dictionary attack). This aside, I think it is usually not needed for
applications to read and compare the userPassword entry. Any application
that wants to do an authentication should do a "bind" operation on the
LDAP server. This makes the application independent of the actual
authentication used by the server (I modified umich ldap to use the
regular UNIX user database for authentication, the LDAP server did not
even have an userPassword attribute)

Andreas
-- 
Microsoft -- definitly needs Viagra

References:
- Re: userPassword question
  - From: Chris Newman <Chris.Newman@INNOSOFT.COM>

Prev by Date: Re: userPassword question
Next by Date: RE: userPassword question
Index(es):
- Chronological
- Thread