[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#7612) {CLEARTEXT} password scheme broken

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#7612) {CLEARTEXT} password scheme broken
From: Kurt@OpenLDAP.org
Date: Mon, 3 Jun 2013 20:27:38 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

On Jun 3, 2013, at 1:08 PM, Hallvard Breien Furuseth <h.b.furuseth@usit.uio.no> wrote:
> ...OTOH perhaps it's too late to change {cleartext} now if
> it has an established useful meaning.  Could introduce a new
> scheme called {plaintext} or {raw} instead for this purpose.

{CLEARTEXT} isn't an RFC 2307 hash scheme...  it's a string used in configuration and command line cases to indicate that no RFC 2307 hash scheme is used, that is, the password is cleartext.  In the code, IIRC, it's referred to as pseudo-scheme for this reason.

The restrictions on clear text passwords that look like RFC 2307 hashed password exist because of the conflict between standard LDAPv3 behavior and RFC 2307 behavior.

Adding some RFC 2307 plain-text hash scheme doesn't remove the conflict between standard LDAPv3 behavior RFC 2307 hashed passwords, so IMO the restriction should remain, at least by default.    If such an option were introduced, the documentation should make clear that disabling the check can be problematic if ever stored hash passwords are to restored (on Bind) to LDAPv3 compliant LDAPv3 passwords over a period of time. 

-- Kurt

Prev by Date: Re: (ITS#7614) Markup error in slapd.conf.5
Next by Date: Re: (ITS#7614) Markup error in slapd.conf.5
Index(es):
- Chronological
- Thread