[Date Prev][Date Next]
Re: Newbie question: setting userPassword field
Please unsubscribe me from this list i am currently not working in this
field. and i dont know the exact procedure of unsubscribing . i had been to
the site where i had subscribed from to unsubscribe but it has not done so.
can u please help me do so
----- Original Message -----
From: Earl Robinson <firstname.lastname@example.org>
Cc: Dan <email@example.com>; <openldap-software@OpenLDAP.org>
Sent: Tuesday, February 08, 2000 8:50 AM
Subject: Re: Newbie question: setting userPassword field
> "Kurt D. Zeilenga" wrote:
> > At 01:26 PM 2/8/00 +1030, Dan wrote:
> > >Slowly becoming clearer. So then there would be LDAP clients that
> > >authenticate a user's login and password by attempting to bind?
> > Yes. The bind operation is the only mechanism to authenticate
> > to the LDAP directory.
> > >For example, I hook up an LDAP module to Apache. It asks me for a
> > >and password. I type in "dan", and "mypassword". Depending on the
> > >it may then attempt to bind as "dn=dan, o=fatcanary" using the password
> > >"mypassword". The OpenLDAP then hashes "mypassword" and compares it
> > >the userPassword field. If the hash matches, I'm authenticated; if
> > >denied access. Am I getting warmer here?
> > Yes.
> FYI, this type of authentication is quite common. The reason is that
> password hashing algorithms like crypt are "one way functions", i.e. you
> can generate a hash from a password, but you cannot then un-hash the
> hash to get the password. The only way to validate the users password is
> to hash what you think the password is, and compare that to the hash in
> the password file/field/entry... Both Unix and NT (and probably
> countless other OSes) use this process to validate passwords.
> While we're on the topic of passwords and security, is there a way to
> get openldap to lock an account when someone has failed to authenticate
> x times in a row? if so, how would you unlock, and can it just lock for
> a specified period of time? From a security standpoint, this is an
> essential feature, otherwise, you are wide open to brute-force password
> just searched the faq, and didn't see anything close. Lately, I've seen
> alot of folks post questions without checking first. I'd recommend you
> do. ;)