[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL secrets in LDAP

To: "Howard Chu" <hyc@highlandsun.com>
Subject: Re: SASL secrets in LDAP
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Mon, 06 May 2002 17:14:03 -0700
Cc: <openldap-devel@OpenLDAP.org>
In-reply-to: <NMEFLNHODBAOPDKNNJALIEMJCMAA.hyc@highlandsun.com>

At 05:02 PM 2002-05-06, Howard Chu wrote:
>For many good reasons, we discourage the storage of plaintext passwords in
>LDAP.

Yes, but if userPassword is plaintext (as it really should be, see
RFC 2256), then we can certainly use it for DIGEST-MD5.

>(The above paragraphs assume that we add a {DIGEST-MD5} password scheme.
>It's not clear to me that this is the right thing to do, it really doesn't
>make sense for this hash to be available to a simple Bind.)
>
>Thoughts?

I wouldn't add another userPassword scheme.  I'd use userPassword
in clear text or use authPassword (RFC 3112) (a scheme would have
to be added).  Password-exop can be used to update either.

Kurt

Follow-Ups:
- Re: SASL secrets in LDAP
  - From: Lawrence Greenfield <leg+@andrew.cmu.edu>

References:
- SASL secrets in LDAP
  - From: "Howard Chu" <hyc@highlandsun.com>

Prev by Date: SASL secrets in LDAP
Next by Date: Re: SASL secrets in LDAP
Index(es):
- Chronological
- Thread