[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Newbie question: setting userPassword field

Dustin Sallings wrote:

> There are about 80 LDAP modules for Apache.  The one I use verifies the
> password by binding as the user ...

That's a good, portable, future-proof technique.  It enables the LDAP client
software to work correctly without any knowledge of (or dependency on) the
LDAP server's password validation scheme and hash formats.

But I've heard developers argue that the LDAP client can be more efficient
and/or secure, by performing password validation (hash-and-compare) itself,
using password hashes read from the LDAP server.  Perhaps some of those 80
developers implemented it that way.  I don't advocate (or even defend) that
choice.  I merely think that, if they made that choice, they should follow
through and support the hash formats in current use.