[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL secrets in LDAP

At 05:02 PM 2002-05-06, Howard Chu wrote:
>For many good reasons, we discourage the storage of plaintext passwords in

Yes, but if userPassword is plaintext (as it really should be, see
RFC 2256), then we can certainly use it for DIGEST-MD5.

>(The above paragraphs assume that we add a {DIGEST-MD5} password scheme.
>It's not clear to me that this is the right thing to do, it really doesn't
>make sense for this hash to be available to a simple Bind.)

I wouldn't add another userPassword scheme.  I'd use userPassword
in clear text or use authPassword (RFC 3112) (a scheme would have
to be added).  Password-exop can be used to update either.