[Date Prev][Date Next]
Re: Debugging a user authentication
Andrew Findlay writes:
> (1): The latest LDAP spec introduced pwprep to solve this problem,
> but hardly anything implements it yet. It will be many years before
> you can depend on common LDAP clients doing itproperly.
It's not just a client-side issue. Most sites store a password hash in
their server rather than the cleartext password. That means the client
needs to encode password with the same character encoding and
preparation as whatever hashed the server-side password. (E.g. the
/etc/passwd program.) Or the server needs to prepare cleartext
passwords it receives from the client the same way, but it's likely a
bad idea for the server to e.g. assume client passwords are latin-1 and
convert to UTF-8.