RE: ldap users auth to ldap ;)

["Luke Howard" <lukeh@xedoc.com.au>]

One thing Netscape's Directory Server does which the LDAP_CRYPT patches do
not do is handle updating the userPassword attribute (and compares, rather
than binds) correctly.

With Netscape's Directory Server, the password is updated in the clear
(modulo protection of the LDAP session by SSL/TLS or SASL) so it's up to the
server to special-case updates of userPassword and generate the appropriate
hashes. This makes it easy to trigger updates in other directories (like
Netscape do with their directory synchronization service) or use a different
hash algorithm, such as SHA.

The UMich patches require that the new value of the userPassword attribute,
as it will appear in the directory (hashed and prefixed per RFC 2307) be
sent over LDAP. I suppose this has some superficial advantages where session
privacy isn't used, but we should probably fix this (otherwise it makes
password changing clients non-portable; as it is, the ldappasswd program
that ships with ypldapd has a flag to handle the UMich behaviour).




-- Luke

> -----Original Message-----
> From: owner-openldap-general@openldap.org
> [mailto:owner-openldap-general@openldap.org]On Behalf Of John Kristian
> Sent: Wednesday, September 16, 1998 11:01 AM
> To: openldap-general@openldap.org
> Cc: Clayton Donley; Jared Mauch
> Subject: Re: ldap users auth to ldap ;)
>
>
> Clayton Donley wrote:
> >
> > It appears that the LDAP_CRYPT patches have already been applied to
> > OpenLDAP ...
> > You can then put something like {CRYPT}BlxkDhghdakGe or
> something equally
> > repulsive looking in your userPassword attributes.
>
> RFC 2307 defines this userPassword syntax.  I don't know
> whether OpenLDAP
> (with LDAP_CRYPT) conforms to RFC 2307.  It should, IMHO.
>
>