[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Newbie question: setting userPassword field

Please unsubscribe me from this list i am currently not working in this
field. and i dont know the exact procedure of unsubscribing . i had been to
the site where i had subscribed from to unsubscribe but it has not done so.
can u please help me do so


----- Original Message -----
From: Earl Robinson <earl@earlrobinson.com>
To: <hemant@cygsoft.com>
Cc: Dan <dan@fatcanary.com.au>; <openldap-software@OpenLDAP.org>
Sent: Tuesday, February 08, 2000 8:50 AM
Subject: Re: Newbie question: setting userPassword field

> "Kurt D. Zeilenga" wrote:
> >
> > At 01:26 PM 2/8/00 +1030, Dan wrote:
> > >Slowly becoming clearer.  So then there would be LDAP clients that
> > >authenticate a user's login and password by attempting to bind?
> >
> > Yes.  The bind operation is the only mechanism to authenticate
> > to the LDAP directory.
> >
> > >For example, I hook up an LDAP module to Apache.  It asks me for a
> > >and password.  I type in "dan", and "mypassword".  Depending on the
> > >it may then attempt to bind as "dn=dan, o=fatcanary" using the password
> > >"mypassword".  The OpenLDAP then hashes "mypassword" and compares it
> > >the userPassword field.  If the hash matches, I'm authenticated; if
not, I'm
> > >denied access.  Am I getting warmer here?
> >
> > Yes.
> FYI, this type of authentication is quite common. The reason is that
> password hashing algorithms like crypt are "one way functions", i.e. you
> can generate a hash from a password, but you cannot then un-hash the
> hash to get the password. The only way to validate the users password is
> to hash what you think the password is, and compare that to the hash in
> the password file/field/entry... Both Unix and NT (and probably
> countless other OSes) use this process to validate passwords.
> While we're on the topic of passwords and security, is there a way to
> get openldap to lock an account when someone has failed to authenticate
> x times in a row?  if so, how would you unlock, and can it just lock for
> a specified period of time? From a security standpoint, this is an
> essential feature, otherwise, you are wide open to brute-force password
> attacks.
> -earl
> p.s.
> just searched the faq, and didn't see anything close. Lately, I've seen
> alot of folks post questions without checking first. I'd recommend you
> do. ;)