[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: RFC2256: userPassword

To: dboreham@netscape.com, ietf-ldapext@netscape.com
Subject: Re: RFC2256: userPassword
From: Robert Allen <Robert.Allen@Eng.Sun.COM>
Date: Thu, 01 Jul 1999 16:46:01 -0700 (PDT)
Resent-date: Thu, 01 Jul 1999 16:46:22 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"bYaUjB.A.7MD.B3_e3"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

One issue with using ldap_compare() as the method
of authentication (such as the case of an IMAP
server using LDAP to determine access to a mailbox)
is that the compare must do special "magic things"
when comparing passwords vs. just comparing random
attribute values.  In the Sun LDAP server (and others
probably) this is expressed by giving the password
attribute a special syntax ("protected").  I don't
believe the Netscape server allows this: you must
bind-as-user to auth as user, and it must be against
the userPassword attribute, and compares just do a straight
string compare.

I've often wondered if it wasn't desireable to be able
to authenticate for different services against different
attributes, but I'm not aware of any LDAP servers
which support this.

Robert

>>Hmm. I once toyed with the idea of 
>>putting code in our server which 
>>would send me e-mail whenever a client 
>>sent a compare operation to it.
>>I figured my mailbox would remain
>>very quiet for a long time.
>>
>>Perhaps I was wrong...
>>
>>

Prev by Date: Re: RFC2256: userPassword
Next by Date: Authmeth/DIGEST-MD5
Index(es):
- Chronological
- Thread