[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: userpassword encode/hash



At 09:32 AM 8/31/2004, John Wagner wrote:
>I've been wonder if you all could give me a brief on why OpenLDAP
>slapd doesn't automatically encode/hash userpasswords -

A short answer lies in the first sentence of Section 5.36
of RFC 2256, as well as last sentence of Section 6.1 of
draft-ietf-ldapbis-models-xx.txt.  The long answer lies
in the archives (of this list, the software list, and
various LDAP/X.500 standardization lists).

>or at least have the option?

We've provided a plugin API would allows those who want to
violate the standards to do so. :-)

>I've wrote a few modifcations the slapd including a simple
>patch/modification to modify.c that will encode/hash the userpassword
>attribute when a mod is done.  It also checks to make sure that it
>isn't already encoded if it is it doesn't encode again.
>Any interest? 

Personally, no.  But I likely wouldn't object to inclusion
of a contribWare plugin which did such if it included an
appropriate README detailing how it violates the standards
and the issues that might cause to those choosing to deploy
the plugin.

Kurt