[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL and PAM based password changing

On Fri, 8 Feb 2002, Norbert Klasen wrote:
> --On Donnerstag, 7. Februar 2002 19:44 +0530 Shanker Balan 
> <shanu@exocore.com> wrote:
> > Correct. Hmm... so what purpose does the OpenLDAP "extended operations"
> > serve?
> The "Password Modify Extended Operation" (see RFC 3062) has been defined to 
> create a standard way for updating a user's password. As currently 
> implemented in OpenLDAP, it will automatically hash the password before 
> storing it in the userPassword attribute type.

It seems to me that, given a choice, I would on principle rather
have PAM hash the password BEFORE transmission to the LDAP server (which I
can do with pam_password <algorithm>) rather than having the server do the
hash after sending the password cleartext.  I guess if I care about
security I'm of course using SSL anyways, but still... Why would I want to
use the password change exop when PAM handles things
just beautifully without it?