[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#7612) {CLEARTEXT} password scheme broken

On 2013-06-03 20:46, Kurt@OpenLDAP.org wrote:
> Not a bug...
> Clear text passwords appear in userPassword without any RFC 2307 
> scheme, as in
> userPassword: secret
> not:
> userPassword: {CLEARTEXT}secret

That's backwards.  userPassword values without a {scheme} prefix are
cleartext passwords.  Values with a {scheme} prefix use that scheme.

This does not imply that a scheme can't be used which simply
represents the passwords as-is, nor that slapd or slap tools have
any business stripping away such a {scheme} prefix.  In particular
not when that's the only way to represent cleartext passwords
starting with "{letters}".

Though possibly this would mean slapd needs a tweak to how it
represents non-prefixed passwords internally, if it currently
uses "{cleartext}" to tell itself that.  I have not looked yet.