[Date Prev][Date Next]
Re: NT/LM hash support for OpenLDAP
Kurt D. Zeilenga said:
> I note that the Modify Password Extended Operation is intended
> to be used update the user's LDAP password. The operation
> is needed as user applications cannot assume that the password
> is in userPassword or any LDAP attribute for that matter. For
> example, the operation could be used to update the LDAP user's
> password held in the SASL subsystem.
As in almost all situations the LDAP password is the same as the
application specific password(s), and as it is almost certainly not a
good idea to have applications generating hashes for other applications,
do you see a problem with allowing users to utilise the existing
mechanism to update these application specific passwords?
LDAP passwords are not 'the answer' in that many authentication
mechanisms simply do not have the users' passwords to bind with. For
example, unless you hack the registry of Windows machines, they will
(rightly) refuse to send clear text passwords, sending instead a hash.
Samba needs to be able to retrieve the hash from LDAP to authenticate
the user. Similarly, for backwards compatibility products like ypldapd
exist which need to pull the hashes from the database too. APOP and CHAP
need the cleartext itself, and CRAM-MD5 needs the cleartext or a 'context'.
IMHO one of LDAP's most useful features is the ability to set up single
sign on, and I believe that extending the modify password exop in this
way is the cleanest and most functional way to do so. It would
immediately give companies alternatives to products like NDS/AD and the
associated vendor lockin, providing a single password for all services
and paving the way for more secure authentication via kerberos,
centralised (pam based) password policies, etc.
Apologies for the delay - I've been busy. Hopefully I won't have to wait
as long for your response :)
Australian Online Solutions
1300 132 809