[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: SASL secrets in LDAP



> -----Original Message-----
> From: owner-openldap-devel@OpenLDAP.org
> [mailto:owner-openldap-devel@OpenLDAP.org]On Behalf Of Lawrence Greenfield
>    Date: Mon, 06 May 2002 17:14:03 -0700
>    From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
>    Cc: <openldap-devel@OpenLDAP.org>
>
>    At 05:02 PM 2002-05-06, Howard Chu wrote:
>    >For many good reasons, we discourage the storage of plaintext
> passwords in
>    >LDAP.
>
>    Yes, but if userPassword is plaintext (as it really should be, see
>    RFC 2256), then we can certainly use it for DIGEST-MD5.
>
> Also, remember that the DIGEST-MD5 password hash is sufficient for
> authentication (it is not a one-way hash like /etc/passwd).

Good points. OK, sounds like generating the hash is a lot of unnecessary
effort since it needs as much protection as the plaintext. Might as well
just use the userPassword attribute as-is then. Simplifies life
considerably...

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support