Re: RFC2256: userPassword

[Bob Bick <bobb@sqribe.com>]

> > This has nothing to do with replication, as far as I can see. If I'm a
> > client of LDAP, and I want to check if a user name and password that I have
> > been given go together, then I need to know what hash to use so I can
> > compare with what's stored in the userPassword attribute on that user's
> > account object in the directory. Seems like you are saying that its
> > different for each different vendor.
> 
> No, no, no, no, no, no.
> 
> You don't authenticate by client compare
> of credentials, you authenticate by means
> of the LDAP bind operation. Hence the password
> validation mechanism is obscure to the client.

Wouldn't that be much slower (i.e. binding is slower than comparison).
If a system desires to authenticate users based on LDAP, they desire to
connect just once so that performance is reasonable.

Bob

> If for some reason you really want to
> do client-side password validation,
> it's still possible in our product because
> we decorate the stored hashed value with
> a header which indicates the hash function used.
> Thus multiple hash functions may be
> employed within the same directory service.
> This is useful, for example, when some users
> are migrated from UNIX systems, complete
> with crypt hashes, but other users are
> created new, with stronger SHA or MD5
> hashes.