[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: NT/LM hash support for OpenLDAP

Kurt D. Zeilenga said:
> I note that the Modify Password Extended Operation is intended
> to be used update the user's LDAP password.  The operation
> is needed as user applications cannot assume that the password
> is in userPassword or any LDAP attribute for that matter.  For
> example, the operation could be used to update the LDAP user's
> password held in the SASL subsystem.

As in almost all situations the LDAP password is the same as the application specific password(s), and as it is almost certainly not a good idea to have applications generating hashes for other applications, do you see a problem with allowing users to utilise the existing mechanism to update these application specific passwords?

LDAP passwords are not 'the answer' in that many authentication mechanisms simply do not have the users' passwords to bind with. For example, unless you hack the registry of Windows machines, they will (rightly) refuse to send clear text passwords, sending instead a hash. Samba needs to be able to retrieve the hash from LDAP to authenticate the user. Similarly, for backwards compatibility products like ypldapd exist which need to pull the hashes from the database too. APOP and CHAP need the cleartext itself, and CRAM-MD5 needs the cleartext or a 'context'.

IMHO one of LDAP's most useful features is the ability to set up single sign on, and I believe that extending the modify password exop in this way is the cleanest and most functional way to do so. It would immediately give companies alternatives to products like NDS/AD and the associated vendor lockin, providing a single password for all services and paving the way for more secure authentication via kerberos, centralised (pam based) password policies, etc.

Apologies for the delay - I've been busy. Hopefully I won't have to wait as long for your response :)

Sam Johnston
Australian Online Solutions
1300 132 809