[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#4837)


Zimbra has run into this issue in helping a customer who was running SunDS 
migrate to OpenLDAP.  It does not work at all, unfortunately.  Changing 
code to use an 8-bit salt does work.

So, I'd be happy to fix this, but a general design question --

(a) Should this be implemented as a "ssha-salt" option in slapd.conf


(b) Should OpenLDAP try decrypting the password first as a 4-bit salt, and 
then try an 8-bit salt, then fail?

(a) would be fairly portable across many salt settings, but AFAIK we've 
only hit 4 & 8

(b) would allow mixed salt values to be in userPassword, and I'd think that 
over time as people changed their passwords, it would allow the 8-bit salts 
to go away.

Thoughts welcome. :)


Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
Zimbra ::  the leader in open source messaging and collaboration