[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#7278) [PATCH] SHA-2: Add support salted SHA-2 password hashes

Michael Ströder wrote:
> hyc@symas.com wrote:
>> Why should X user ever need to run this tool to generate a value?
>>From slappasswd(8):
>         Slappasswd is used to generate an userPassword value suitable
>         for use with ldapmodify(1), slapd.conf(5) rootpw configuration
>         directive or the slapd-config(5) olcRootPW configuration directive.
> Do you want to restrict this text regarding ldapmodify(1) only for the cases
> that the slappasswd user has also write access to back-config?

We could probably delete that ldapmodify(1) reference. Technically it has 
always been wrong, since there's never been any guarantee that an LDAP user's 
password was ever stored in any user-accessible attribute.

> Of course your are the OpenLDAP boss. You can change everything to make it
> work for you. But it breaks existing operational procedures for other people.

The text also states
	The practice of storing hashed passwords in userPassword violates
	Standard Track (RFC 4519) schema specifications and may hinder

Anyone building operational procedures on something that violates the specs 
was asking for trouble. Users should be using ldappasswd, that's what it's for.

   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/