[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: userPassword question

To: Mark Smith <mcs@netscape.com>
Subject: Re: userPassword question
From: Chris Newman <Chris.Newman@INNOSOFT.COM>
Date: Wed, 29 Jul 1998 11:56:04 -0700 (PDT)
Cc: 'IETF LDAP Extensions WG' <ietf-ldapext@netscape.com>
In-reply-to: <35BF50E0.DD04D064@netscape.com>
Resent-date: Wed, 29 Jul 1998 11:57:09 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"uu8ub3.0.Ol3.32tlr"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

On Wed, 29 Jul 1998, Mark Smith wrote:
> database.  In fact, one of the deficiencies of CRAM-MD5 is that as far
> as I can tell it requires that the LDAP server store the password in the
> clear (or in a way that allows it to easily recover the clear text
> password).  But that's a different topic.

Not true.  You can store the intermediate MD5 state from the two MD5
operations in the HMAC.  It makes CRAM-MD5 marginally better than
APOP, CHAP and their ilk although it's still plaintext equivalent.

> a) If an LDAP client adds a userPassword value (via an add or modify
> operation) that it is not hashed, we perform a one-way hash on it before
> storing it.  The actual value we store looks like "{crypt}CRYPTED-VALUE"
> or "{SHA}SHA-1-VALUE".
> 
> b) If a client adds a userPassword value that is already hashed, we just
> store it as is.
> 
> c) On bind operations, we compare the submitted value (which must be a
> clear text password) against all userPassword values -- hashed or
> unhashed -- in an entry.

So what happens if the client supplies a simple bind password of
"{crypt}CRYPTED-VALUE"?

		- Chris

Follow-Ups:
- Re: userPassword question
  - From: Mark Smith <mcs@netscape.com>

References:
- Re: userPassword question
  - From: Mark Smith <mcs@netscape.com>

Prev by Date: LDAP extension draft for GSSAPI protection of session data
Next by Date: Re: userPassword question
Index(es):
- Chronological
- Thread