[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: RFC2256: userPassword

To: ietf-ldapext@netscape.com
Subject: RE: RFC2256: userPassword
From: Howard Chu <hyc@symas.com>
Date: Wed, 30 Jun 1999 13:55:09 -0700
Importance: Normal
In-reply-to: <377A5F4C.9F57D030@netscape.com>
Resent-date: Wed, 30 Jun 1999 13:51:58 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"OmxbmB.A.SoG.nNoe3"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

> -----Original Message-----
> From: David Boreham [mailto:dboreham@netscape.com]

> Paul Leach wrote:
> 
> > In which case the userPassword attribute need not be visible to 
> clients at
> > all. In which case this whole conversation has been bogus. 
> Which is what I
> > thought all along.
> 
> Yes, the whole discussion dissapeared in a puff of logic.

All well and good, but...

> > > If for some reason you really want to
> > > do client-side password validation,
> > > it's still possible in our product because
> > > we decorate the stored hashed value with
> > > a header which indicates the hash function used.
> > > Thus multiple hash functions may be
> > > employed within the same directory service.
> > > This is useful, for example, when some users
> > > are migrated from UNIX systems, complete
> > > with crypt hashes, but other users are
> > > created new, with stronger SHA or MD5
> > > hashes.
> > 
Your decorated hash values don't do the client any good if he only
has Compare access and not Read access - how does the client find out
which hash is in use? It seems to me that client-side validation is
really precluded here.

> > So, it _is_ different for each different vendor. As percieved 
> by clients.
> 
> Until a standard is defined, yes.

References:
- Re: RFC2256: userPassword
  - From: dboreham@netscape.com (David Boreham)

Prev by Date: agenda for LDAPEXT meeting in Oslo
Next by Date: RE: LDAP Tree Delete Control - draft-armijo-ldap-treedelete-01.tx t
Index(es):
- Chronological
- Thread