[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Compare-Request on hashed userPassword

On 09/27/2011 06:59 PM, Michael Ströder wrote:

We have {SSHA}-hashed passwords in attribute userPassword.

One application sends CompareRequests with the clear-text password instead of
a BindRequest to validate the password which obviously fails. The application
vendor claims it is too much effort to change that behaviour in the
application. I guess this can only be solved in slapd by a custom overlay
intercepting the CompareRequest (which is effort too).

I guess the purpose is to authenticate. In that case, the app should use the bind operation (simple bind, in this case).

An overlay would basically need to take the value from the compare request, put it into a bind request structure, call the frontend's bi_op_bind() hook. The custom overlay would probably be 10 to 100 lines of code, and most of the headache would come from trading code duplication (rewrite simple bind code) with having to deal with intercepting bind responses, which is a mess (successful ones are delegated to the frontend, unsuccessful ones are directly dealt with by the hook).

The application would need how many lines of code? two? three?