[Date Prev][Date Next] [Chronological] [Thread] [Top]

userPassword in generated LDIF

Many SASL mechanisms require access to the user's password in
cleartext form.  So that administrators will not be inadvertently
exposed to userPassword in cleartext form, I believe it would be
wise to modify the ldif generation code used by ldapsearch
and ldbmcat to present userPassword values in base64 encoding.

This adds zero password security... an administrator can easily
decode the base64 to obtain the password.  However, it much
easier for an administrator to forget a base64 string than
an actual password if she is inadvertently exposed.