[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#4643) please don't use hpux getpass()



On 8/17/06, Kurt D. Zeilenga <Kurt@openldap.org> wrote:
> At 12:43 PM 8/17/2006, deckrider@gmail.com wrote:
> >On 8/17/06, Pierangelo Masarati <ando@sys-net.it> wrote:
> >
> >Thank you for responding.
> >
> >> deckrider@gmail.com wrote:
> >> > On HP-UX B.11.23 ia64, openldap 2.3.24 decides to use getpass().  This causes
> >> > problems, because our passwords are longer than 8 characters.  Thus, users with
> >> > passwords longer than 8 cannot use the password prompt.
> >> >
> >> Having passwords consistently limited to 8 chars by consistently using
> >> system-provided facilities may be considered a feature rather than a
> >> bug;
> >
> >Within the context of ldapsearch, I don't follow that rationale.
> >
> >And anyway, what does openldap do automatically if it finds both
> >getpass() and getpassphrase(), and why?
>
> getpassphrase(3) is favored over getpass(3) in environments that
> provide both.  It's assumed that the only difference between
> the two is the maximum length of the password they can get,
> with getpassphrase(3) able to get larger passwords.
>
> >Shouldn't that same logic be followed consistently throughout?
>
> We assume that getpassphrase(3) and getpass(3) are both generally
> more robust than our built-in code and hence favor them over our
> built-in code.

Unfortunately HP-UX B.11.23 ia64 has no getpassphrase(3) and is
limited to 8 characters, whereas, for example, Solaris 10 does have it
and its limit is 256.

So on hpux (unless you know about this hidden option for configure),
when using 'ldapsearch -W' against an ldap server with passwords
routinely larger than 8 characters, you can never bind/authenticate
because 'ldapsearch -W' silently truncates the password you enter to
its first 8 characters (unless of course you visibly display your
password on the screen by adding it to the command line).

Hopefully then, it can be understood that it is not a virtue for
'ldapsearch -W' to silently (and by default) truncate the entered
password to its first 8 characters.

Best Regards,
Dave.