[Date Prev][Date Next] [Chronological] [Thread] [Top]

[ldapext] Password Policy: hash algorithm specification and auto hash migration

To: ldapext <ldapext@ietf.org>
Subject: [ldapext] Password Policy: hash algorithm specification and auto hash migration
From: Kurt Zeilenga <Kurt.Zeilenga@Isode.com>
Date: Mon, 5 Jul 2010 13:43:30 -0700
Delivered-to: ldapext@core3.amsl.com

Additional Isode-specific features include hash algorithm specification and auto migration of password hash algorithms (standard userPassword to/from RFC 2307 userPassword, and soon to/from authPassword [RFC3112] (for SCRAM)).  This might be something worthwhile to consider off-the-standard track (given tracks of RFC 2307 and RFC 3112).

In our implementation, we have two attributes which advertise the server's available hash compare and hash generate methods, and then two attributes which specify the compare and generate methods may be used.  The latter being single valued and is what gets used by LDAP password modify operation.  Then we have a pwdAutoMigrate flag to enable auto-migration.

Auto-migration works by checking, at Simple Bind time (post authentication), to see if the current generate method differs from the hash method used for the user.  If so, the stored value is updated using the current generate method without resetting various state variables (such as pwdChangedTime).  This can be used to update from plain text passwords to particular hash method, update from one hash method to another, and update from a hash algorithm to plain text.

We're currently adding support for authPassword, namely for use with SCRAM.  As part of this, we plan to update these password policy features.

-- Kurt
_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www.ietf.org/mailman/listinfo/ldapext

Prev by Date: Re: [ldapext] password policy: exclude (or exempt) user from policy
Next by Date: Re: [ldapext] password policy: exclude (or exempt) user from policy
Index(es):
- Chronological
- Thread