[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Applications, authentication, and hashing methods..

Still, how does one go about maintaining two passwords for two applications
in an LDAP directory?

----- Original Message -----
From: "Luca Scamoni" <luca.scamoni@sys-net.it>
To: <dap99@i-55.com>
Cc: <openldap-software@OpenLDAP.org>
Sent: Tuesday, March 02, 2004 2:23 AM
Subject: Re: Applications, authentication, and hashing methods..

> adp disse:
> > This is a general LDAP question, and not specific to OpenLDAP, but I
> > have a feeling I will get some good answers here. :)
> >
> > Let's say I have a generic set of applications X, Y, and Z. I want users
> > of these applications to auth using information in LDAP. (We are indeed
> > running OpenLDAP.) In general I can do this by trying to bind as that
> > user. So if userPassword is in crypt form I need to crypt() my password
> > and then submit it, and ditto for SHA1, when binding. For plaintext I
> > just send the password in plaintext. This assumes that a user will have
> > the same password for all applications.
> >
> No. You DON'T have to crypt anything in your application. Password is sent
> to the server in plain and the server crypts it with the correct algorithm
> before checking against the stored password. If you need to rise security
> you can set up TLS.
> > There is a possibility that I will need to support some applications
> > that needs a different password for my users.
> >
> > I'm wondering how to best support this?
> >
> > If the application is open source I could change the code so that it
> > compared the user's entered password against something in their entry.
> > (Score one for open source.)
> >
> > If the application is closed and just tries to do a bind is there a
> > solution? I don't see one.
> >
> > Also, speaking of passwords, I also have the potential issue that an
> > application doesn't support the form of hashing that I use for
> > userPassword when a user sets her password. Let's say that I hash a
> > password when putting it into userPassword using SHA1. That means I have
> > to force all of my applications to first hash using SHA1 and then do a
> > bind. How can I support applications that use different methods to hash
> > algorithms?
> --
> Luca Scamoni - e-mail: luca.scamoni@sys-net.it
> SysNet snc - Via Dossi, 8 - 27100 Pavia Italy
> IT Specialist - mobile: +393471014425