Re: Newbie question: setting userPassword field

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 01:48 PM 2/7/00 -0800, John Kristian wrote:
>Dustin Sallings wrote:
>
>> There are about 80 LDAP modules for Apache.  The one I use verifies the
>> password by binding as the user ...
>
>That's a good, portable, future-proof technique.

I agree.  A number of servers provide additional functionality, such
as access time restrictions, only when bind is used.  In addition,
compare should compare the asserted value with the stored value
without any hashing of the asserted value.  Some servers, however,
will auto hash the asserted value.

>It enables the LDAP client
>software to work correctly without any knowledge of (or dependency on) the
>LDAP server's password validation scheme and hash formats.

Or storage scheme.  Some servers support external password storage
or don't use userPassword (because it shouldn't be used to store
encrypted passwords).

>But I've heard developers argue that the LDAP client can be more efficient
>and/or secure, by performing password validation (hash-and-compare) itself,
>using password hashes read from the LDAP server.

I think what some modules are doing is replacing a "search / bind" (
so called "smart bind") sequence with a "search / local compare" sequence.

>Perhaps some of those 80
>developers implemented it that way.  I don't advocate (or even defend) that
>choice.  I merely think that, if they made that choice, they should follow
>through and support the hash formats in current use.

(I dislike authentication proxies/gateways in general, preferring
cross application protocol solutions such SASL and GSSAPI).

I advocate use the bind operation to authenticate users to the
directory.  No other set of operations can mimic authentication
to the directory in a portable, secure* manner.

* such approach may inappropriately authorize users. 

	Kurt