[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#7612) {CLEARTEXT} password scheme broken

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#7612) {CLEARTEXT} password scheme broken
From: h.b.furuseth@usit.uio.no
Date: Mon, 3 Jun 2013 20:02:48 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

On 2013-06-03 20:46, Kurt@OpenLDAP.org wrote:
> Not a bug...
> 
> Clear text passwords appear in userPassword without any RFC 2307 
> scheme, as in
> 
> userPassword: secret
> 
> not:
> 
> userPassword: {CLEARTEXT}secret

That's backwards.  userPassword values without a {scheme} prefix are
cleartext passwords.  Values with a {scheme} prefix use that scheme.

This does not imply that a scheme can't be used which simply
represents the passwords as-is, nor that slapd or slap tools have
any business stripping away such a {scheme} prefix.  In particular
not when that's the only way to represent cleartext passwords
starting with "{letters}".

Though possibly this would mean slapd needs a tweak to how it
represents non-prefixed passwords internally, if it currently
uses "{cleartext}" to tell itself that.  I have not looked yet.

-- 
Hallvard

Prev by Date: Re: (ITS#7612) {CLEARTEXT} password scheme broken
Next by Date: Re: (ITS#7612) {CLEARTEXT} password scheme broken
Index(es):
- Chronological
- Thread