[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenSSL Password hash method.

At 04:23 PM 6/9/00 +0000, Pierrick Hascoet wrote:
>I'm new on this list, and would like to contribute to the OpenLDAP

Feel free.

>I've read the liblutil code source and think that the passwd hash
>method should be implemented with the OpenSSL library which provide a good
>API and lots of supported crypto scheme to do that.

The current code natively supports SHA1 (seeded or not), MD5
(seeded or not), and crypt(3) hashed passwords [as well as
a number of external password stores].   The code could be
extended to support additional hash algorithms and implementations
could be dependent on OpenSSL.  However,  I rather not depend
the basic hash mechanisms on OpenSSL as this would limit OpenLDAP
to OpenSSL supported platforms

>The dark side of this thing is that some parts of OpenLDAP will be linked
>with OpenSSL.

Exactly.  We should (and do) use OpenSSL where appropriate, but
OpenLDAP should be able to operate (securely) without OpenSSL.

>But the library would be used next for the SSL and TLS
>support  ...

Already implemented.  And I suspect we'll be able to use
alternative TLS implementations as well.  OpenSSL is good,
but it's not right for everyone.