[Date Prev][Date Next]
Re: Newbie question: setting userPassword field
"Dan" <email@example.com> writes:
> For example, I hook up an LDAP module to Apache. It asks me for a username
> and password. I type in "dan", and "mypassword".
> Depending on the module, it may then attempt to bind as "dn=dan,
> o=fatcanary" using the password "mypassword".
Yes. The exact method it uses to generate the DN may vary from module to
module. My module would first do a search of uid=dan to find an entry
that matches. (If the search returned more than one entry, it would deny
access). Then it fetches the DN corresponding to that entry, and
attempts a bind with that DN and "mypassword".
> The OpenLDAP then hashes "mypassword" and compares it with the
> userPassword field. If the hash matches, I'm authenticated; if not,
> I'm denied access. Am I getting warmer here?
Yes, although hash and compare is the minimum it will do. It is possible
to implement other site-specific policies that would do more than that
to determine if access is allowed.
Dave Carrigan (firstname.lastname@example.org) | Yow! If this was a SWEDISH
UNIX-Apache-Perl-Linux-Firewalls-LDAP-C-DNS | MOVIE, I'd take off your GO-GO
Seattle, WA, USA | BOOTS!!