[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: userPassword question
Chris Newman wrote:
>
> On Wed, 29 Jul 1998, Mark Smith wrote:
> > database. In fact, one of the deficiencies of CRAM-MD5 is that as far
> > as I can tell it requires that the LDAP server store the password in the
> > clear (or in a way that allows it to easily recover the clear text
> > password). But that's a different topic.
>
> Not true. You can store the intermediate MD5 state from the two MD5
> operations in the HMAC. It makes CRAM-MD5 marginally better than
> APOP, CHAP and their ilk although it's still plaintext equivalent.
Makes sense. Thanks for the clarification.
> ...
> > c) On bind operations, we compare the submitted value (which must be a
> > clear text password) against all userPassword values -- hashed or
> > unhashed -- in an entry.
>
> So what happens if the client supplies a simple bind password of
> "{crypt}CRYPTED-VALUE"?
It would be rejected. The actual "compare" algorithm we use for
userPassword values looks something like:
foreach userPassword value V present in an entry
1. determine the encoding used in V, e.g., crypt
2. apply that encoding to the value presented in the bind
operation
3. compare V to the result of step 2. and return SUCCESS if they
match
return FAILURE
In your example, if the value {crypt}CRYPTED-VALUE was ALSO present in
the entry that is the target of the bind operation, we would apply the
UNIX crypt algorithm a second time to the password supplied by the
client. Bottom line: clients should always present passwords in clear
text.
-Mark