[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#7612) {CLEARTEXT} password scheme broken
On May 31, 2013, at 2:38 AM, wferi@niif.hu wrote:
> Full_Name: Ferenc Wágner
> Version: 2.4.31
> OS: Debian GNU/Linux squeeze
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (86.101.52.7)
>
>
> I'm trying to store the hypothetical password "{SSHA}" in cleartext, but
> slappasswd refuses to help:
>
> $ /usr/sbin/slappasswd -s {SSHA} -h {CLEARTEXT}
> Password verification failed.
>
> On #openldap hbf suggested that I file an ITS ("work" in the following means
> allowing binding):
>
> hbf: Looks like {CLEARTEXT} itself is broken. I think "userPassword:
> {CLEARTEXT}secret" should work, and so that slappasswd -h {CLEARTEXT} -s secret
> can output {CLEARTEXT}secret and userPassword: {CLEARTEXT}{SSHA} would be
> valid.
>
> As I agree with him, here it is.
>
Not a bug...
Clear text passwords appear in userPassword without any RFC 2307 scheme, as in
userPassword: secret
not:
userPassword: {CLEARTEXT}secret
A cleartext password of {SSHA} is disallowed for what should be obvious reasons.
-- Kurt