[Date Prev][Date Next]
Re: SASL and PAM based password changing
On Fri, 8 Feb 2002, Norbert Klasen wrote:
> --On Donnerstag, 7. Februar 2002 19:44 +0530 Shanker Balan
> <firstname.lastname@example.org> wrote:
> > Correct. Hmm... so what purpose does the OpenLDAP "extended operations"
> > serve?
> The "Password Modify Extended Operation" (see RFC 3062) has been defined to
> create a standard way for updating a user's password. As currently
> implemented in OpenLDAP, it will automatically hash the password before
> storing it in the userPassword attribute type.
It seems to me that, given a choice, I would on principle rather
have PAM hash the password BEFORE transmission to the LDAP server (which I
can do with pam_password <algorithm>) rather than having the server do the
hash after sending the password cleartext. I guess if I care about
security I'm of course using SSL anyways, but still... Why would I want to
use the password change exop when PAM handles things
just beautifully without it?