Re: userPassword: {SHA}

["Kurt D. Zeilenga" <Kurt@openldap.org>]

Just to clarify:

OpenLDAP 1.1 slapd supports SHA1, MD5, crypt(3) and cleartext
passwords for both users and root access.  You can disable
cleartext passwords altogether using --disable-cleartext.

Dave has written new client called ldappasswd which
mimics the Unix passwd(1) program.  He has also provided
changes to the other ldap commands to optionally prompt
for password (as reading them from the command line isn't
so smart).  As the changes arrived after our new feature
cutoff date, these enhancements will be not available
until OpenLDAP 1.2.  The will also give Dave an opportunity
to put a few finishing touches on the enhancements, including
server side support for seeded SHA1 and MD5 passwords.  We
may also provide server-side generate of passwords (our
current server requires client side generation).

The schedule for OpenLDAP 1.2 has not yet been set, though
I suspect it to around the new year.

kristian@netscape.com wrote:
> I suggest making the SHA-1 feature compatible with Netscape's server.

Our current implementation is based upon Luke Howard's RFC-2307:
        passwordvalue          = schemeprefix encryptedpassword
        schemeprefix           = "{" scheme "}"
        scheme                 = "crypt" / "md5" / "sha" / altscheme
        altscheme              = "x-" keystring
        encryptedpassword      = encrypted password

which I believe is compatible with Netscape.  We will likely
use "ssha1" and "smd5" as the scheme names for the seeded versions
like Netscape has done.

Kurt