[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP 2.0 and its crazy userPassword usage

"Kurt D. Zeilenga" wrote:
> >Changing the password with userPassword and hash-scheme would be as
> >follows:
> >- Check which one is the old password by iterating over all values
> >of userPassword values and comparing the hashed password to the
> >values.
> >- Modify the list of userPassword attribute values such that only
> >the old password is changed (with appropriate hashing scheme).
> >
> >Is that right? Would be kinda strange...
> That would be one approach.  But there are other approaches.d
> Clients should just use the password modify extended operation
> and let the server do the right thing.

Yes, I just had a look at RFC3062 especially since
draft-zeilenga-ldap-authpasswd-05.txt states for authPasswordSyntax:
"Transfer of values of this syntax is strongly discouraged.."

This does make sense but I wonder when we finally manage to have
widely deployed implementations...

> Otherwise the client
> needs to have apriori knowledge of how the server manages
> authentication secrets.

LDAP clients are doing a lot of assumptions anyway... ;-)

Ciao, Michael.