[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: RFC2256: userPassword

To: Paul Leach <paulle@microsoft.com>
Subject: Re: RFC2256: userPassword
From: dboreham@netscape.com (David Boreham)
Date: Wed, 30 Jun 1999 10:27:48 -0700
Cc: " ietf-ldapext@netscape.com" <ietf-ldapext@netscape.com>
References: <CB6657D3A5E0D111A97700805FFE65870B48E400@RED-MSG-51>
Resent-date: Wed, 30 Jun 1999 10:19:51 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"lSkSmC.A.lIF.kGle3"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

Paul Leach wrote:

> This has nothing to do with replication, as far as I can see. If I'm a
> client of LDAP, and I want to check if a user name and password that I have
> been given go together, then I need to know what hash to use so I can
> compare with what's stored in the userPassword attribute on that user's
> account object in the directory. Seems like you are saying that its
> different for each different vendor.

No, no, no, no, no, no.

You don't authenticate by client compare
of credentials, you authenticate by means
of the LDAP bind operation. Hence the password
validation mechanism is obscure to the client.

If for some reason you really want to
do client-side password validation, 
it's still possible in our product because
we decorate the stored hashed value with
a header which indicates the hash function used.
Thus multiple hash functions may be
employed within the same directory service.
This is useful, for example, when some users
are migrated from UNIX systems, complete
with crypt hashes, but other users are
created new, with stronger SHA or MD5
hashes.

References:
- RE: RFC2256: userPassword
  - From: Paul Leach <paulle@microsoft.com>

Prev by Date: RE: RFC2256: userPassword
Next by Date: RE: RFC2256: userPassword
Index(es):
- Chronological
- Thread