Re: Newbie question: setting userPassword field

[Earl Robinson <earl@earlrobinson.com>]

"Kurt D. Zeilenga" wrote:
> 
> At 01:26 PM 2/8/00 +1030, Dan wrote:
> >Slowly becoming clearer.  So then there would be LDAP clients that would
> >authenticate a user's login and password by attempting to bind?
> 
> Yes.  The bind operation is the only mechanism to authenticate
> to the LDAP directory.
> 
> >For example, I hook up an LDAP module to Apache.  It asks me for a username
> >and password.  I type in "dan", and "mypassword".  Depending on the module,
> >it may then attempt to bind as "dn=dan, o=fatcanary" using the password
> >"mypassword".  The OpenLDAP then hashes "mypassword" and compares it with
> >the userPassword field.  If the hash matches, I'm authenticated; if not, I'm
> >denied access.  Am I getting warmer here?
> 
> Yes.

FYI, this type of authentication is quite common. The reason is that
password hashing algorithms like crypt are "one way functions", i.e. you
can generate a hash from a password, but you cannot then un-hash the
hash to get the password. The only way to validate the users password is
to hash what you think the password is, and compare that to the hash in
the password file/field/entry... Both Unix and NT (and probably
countless other OSes) use this process to validate passwords.

While we're on the topic of passwords and security, is there a way to
get openldap to lock an account when someone has failed to authenticate
x times in a row?  if so, how would you unlock, and can it just lock for
a specified period of time? From a security standpoint, this is an
essential feature, otherwise, you are wide open to brute-force password
attacks.

-earl

p.s.
just searched the faq, and didn't see anything close. Lately, I've seen
alot of folks post questions without checking first. I'd recommend you
do. ;)