[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: RFC2256: userPassword
> -----Original Message-----
> From: David Boreham [mailto:dboreham@netscape.com]
> Paul Leach wrote:
>
> > In which case the userPassword attribute need not be visible to
> clients at
> > all. In which case this whole conversation has been bogus.
> Which is what I
> > thought all along.
>
> Yes, the whole discussion dissapeared in a puff of logic.
All well and good, but...
> > > If for some reason you really want to
> > > do client-side password validation,
> > > it's still possible in our product because
> > > we decorate the stored hashed value with
> > > a header which indicates the hash function used.
> > > Thus multiple hash functions may be
> > > employed within the same directory service.
> > > This is useful, for example, when some users
> > > are migrated from UNIX systems, complete
> > > with crypt hashes, but other users are
> > > created new, with stronger SHA or MD5
> > > hashes.
> >
Your decorated hash values don't do the client any good if he only
has Compare access and not Read access - how does the client find out
which hash is in use? It seems to me that client-side validation is
really precluded here.
> > So, it _is_ different for each different vendor. As percieved
> by clients.
>
> Until a standard is defined, yes.