Re: Newbie question: setting userPassword field

[Dave Carrigan <dave@rudedog.org>]

"Dan" <dan@fatcanary.com.au> writes:

> For example, I hook up an LDAP module to Apache.  It asks me for a username
> and password.  I type in "dan", and "mypassword".  

Yes.

> Depending on the module, it may then attempt to bind as "dn=dan,
> o=fatcanary" using the password "mypassword".

Yes. The exact method it uses to generate the DN may vary from module to
module. My module would first do a search of uid=dan to find an entry
that matches. (If the search returned more than one entry, it would deny
access). Then it fetches the DN corresponding to that entry, and
attempts a bind with that DN and "mypassword".

> The OpenLDAP then hashes "mypassword" and compares it with the
> userPassword field.  If the hash matches, I'm authenticated; if not,
> I'm denied access.  Am I getting warmer here?

Yes, although hash and compare is the minimum it will do. It is possible
to implement other site-specific policies that would do more than that
to determine if access is allowed.

-- 
Dave Carrigan (dave@rudedog.org)            | Yow! If this was a SWEDISH
UNIX-Apache-Perl-Linux-Firewalls-LDAP-C-DNS | MOVIE, I'd take off your GO-GO
Seattle, WA, USA                            | BOOTS!!
http://www.rudedog.org/                     |