Re: NT/LM hash support for OpenLDAP

[Sam Johnston <samj@samj.net>]

Kurt D. Zeilenga said:
> I note that the Modify Password Extended Operation is intended
> to be used update the user's LDAP password.  The operation
> is needed as user applications cannot assume that the password
> is in userPassword or any LDAP attribute for that matter.  For
> example, the operation could be used to update the LDAP user's
> password held in the SASL subsystem.

As in almost all situations the LDAP password is the same as the 
application specific password(s), and as it is almost certainly not a 
good idea to have applications generating hashes for other applications, 
do you see a problem with allowing users to utilise the existing 
mechanism to update these application specific passwords?

LDAP passwords are not 'the answer' in that many authentication 
mechanisms simply do not have the users' passwords to bind with. For 
example, unless you hack the registry of Windows machines, they will 
(rightly) refuse to send clear text passwords, sending instead a hash. 
Samba needs to be able to retrieve the hash from LDAP to authenticate 
the user. Similarly, for backwards compatibility products like ypldapd 
exist which need to pull the hashes from the database too. APOP and CHAP 
need the cleartext itself, and CRAM-MD5 needs the cleartext or a 'context'.

IMHO one of LDAP's most useful features is the ability to set up single 
sign on, and I believe that extending the modify password exop in this 
way is the cleanest and most functional way to do so. It would 
immediately give companies alternatives to products like NDS/AD and the 
associated vendor lockin, providing a single password for all services 
and paving the way for more secure authentication via kerberos, 
centralised (pam based) password policies, etc.

Apologies for the delay - I've been busy. Hopefully I won't have to wait 
as long for your response :)

--
Sam Johnston
Australian Online Solutions
1300 132 809