[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#7612) {CLEARTEXT} password scheme broken

On May 31, 2013, at 2:38 AM, wferi@niif.hu wrote:

> Full_Name: Ferenc Wágner
> Version: 2.4.31
> OS: Debian GNU/Linux squeeze
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (
> I'm trying to store the hypothetical password "{SSHA}" in cleartext, but
> slappasswd refuses to help:
> $ /usr/sbin/slappasswd -s {SSHA} -h {CLEARTEXT}
> Password verification failed.
> On #openldap hbf suggested that I file an ITS ("work" in the following means
> allowing binding):
> hbf: Looks like {CLEARTEXT} itself is broken.  I think "userPassword:
> {CLEARTEXT}secret" should work, and so that slappasswd -h {CLEARTEXT} -s secret
> can output {CLEARTEXT}secret and userPassword: {CLEARTEXT}{SSHA} would be
> valid.
> As I agree with him, here it is.

Not a bug... 

Clear text passwords appear in userPassword without any RFC 2307 scheme, as in

userPassword: secret


userPassword: {CLEARTEXT}secret

A cleartext password of {SSHA} is disallowed for what should be obvious reasons.

-- Kurt