[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Antwort: Re: When/why use slappasswd or any password digests [Virus checked]



-----Original Message-----
>From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of
denis.havlik@t-mobile.at

>>Note that use of digested password storage mechanisms are
>>not standardized.  While there is some convergence between
>>various vendors, there is also ample divergence.  Technically,
>>userPassword is suppose to be the user's password, in clear text.

>Somewhat related question: While userPassword may be "supposed" to hold
clear text, in
>reality it usually holds some kind of a hash, and it can also be used to
store
>"pointers" to external authentication methods (for instance
{SASL}princ@REALM, and
>obsolete {KERB}princ@REALM point to kerberos auth.). I presume that this
behaviour is
>pretty unique to userPassword field. Two questions:

>1) Is this part of the LDAP standard, or OpenLDAP specific?

The general behavior was described in RFC2307, which also defined the
{crypt}, {md5}, and {sha} schemes. The other schemes are not standardized.

>2) Is this behaviour somehow hard-coded in openLDAP, defined in schema
files, or?

The encodings that OpenLDAP supports are generally hardcoded, but you can
dynamically load additional encodings if you want. For example, Symas has a
custom password hash module that provides compatibility with the native
Windows NT password hashes. When used with our (proprietary) NT LDAP Gateway,
it allows both seamless migration of users from Windows to OpenLDAP, as well
as centralized management of users (using OpenLDAP as the master and
replicating user/account information into NT PDCs).

>This is probably not very usefull, but I'm curious if one could give the
user two
>sepparated passwords, where both of these passwords would behave the way
userPassword
>does.

Currently OpenLDAP only uses the userPassword attribute for LDAP Bind
operations. You would have to add a bit of code to support other attribute
types.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support