[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: userpassword formats

Thanks for the help, Kurt.  I'm getting a crash course in LDAP, and the
mailing list is invaluable.  SASL is in the works.  Right now, I'm just
trying to authenticate - crawling before walking  ; )

I've managed to get everything working under Outlook 2000, yay!  I can
authenticate in as "specialuser" to see everyone for Outlook, or as
anonymous to have access to the public org unit only.

Netscape 4.7 does not cooperate. With Outlook, I log in with a dn and
userpassword, but Netscape wants to authenticate against an email address
and password!?  I tried adding a mail attribute to my "specialuser", and
many other guesses - no luck.

If anyone is using Authentification via Netscape 4.7 (or even Ver. 4.x)
against openldap, please enlighten me as to what I am missing.

-----Original Message-----
From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org]
Sent: Thursday, October 12, 2000 9:14 PM
To: mcoughlan@gothambroadband.com
Cc: openldap-software@OpenLDAP.org
Subject: Re: userpassword formats

At 05:11 PM 10/12/00 -0400, Mike Coughlan wrote:
>I am looking for information about to set the userpassword field to
>authenticate LDAP from Netscape and Outlook.

Most LDAP clients (include the Netscape and Outlook clients)
use simple bind.  Simple bind provides not security protection itself.
Unless the confidentiality is protected provided by a lower level,
such as TLS (SSL) or IPSEC, the password is transmitted in the

>Does anyone know if Netscape and Outlook require secure hash algorithm
>format, clear-text or MD5 hash format?

Clients generally don't care.  The client send the actual password
and the server computes the hash of the password and compares it
to the saved hash.  If the hashes match, the passwords are assumed
to match, and the authentication is successful.

The hashing of the stored password does not add security to the
simple bind operation.  Hashing the password just makes the value
not immediately usable if read from the directory.  However, the
value is still subject to dictionary and other acts.  As such,
it's generally advised to protect hashed password values as if
they were the actual clear text password.  Appropriate access
controls are a must.  See the admin guide (if using 2.0) or the
FAQ (if using 1.2) for details on setting access controls.  Archives
of this list are also quite useful.

If you want a more secure solution, I suggest using SASL/GSSAPI,
SASL/DIGEST-MD5, SASL/EXTERNAL (TLS), or other other strong
authentication mechanism.

>I believe Outlook wants secure hash format.  Does anyone know the easiest
>way to create and set this password?