[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: userPassword question
On Wed, 29 Jul 1998, Mark Smith wrote:
> database. In fact, one of the deficiencies of CRAM-MD5 is that as far
> as I can tell it requires that the LDAP server store the password in the
> clear (or in a way that allows it to easily recover the clear text
> password). But that's a different topic.
Not true. You can store the intermediate MD5 state from the two MD5
operations in the HMAC. It makes CRAM-MD5 marginally better than
APOP, CHAP and their ilk although it's still plaintext equivalent.
> a) If an LDAP client adds a userPassword value (via an add or modify
> operation) that it is not hashed, we perform a one-way hash on it before
> storing it. The actual value we store looks like "{crypt}CRYPTED-VALUE"
> or "{SHA}SHA-1-VALUE".
>
> b) If a client adds a userPassword value that is already hashed, we just
> store it as is.
>
> c) On bind operations, we compare the submitted value (which must be a
> clear text password) against all userPassword values -- hashed or
> unhashed -- in an entry.
So what happens if the client supplies a simple bind password of
"{crypt}CRYPTED-VALUE"?
- Chris