[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Compare-Request on hashed userPassword



Pierangelo Masarati wrote:
> On 09/27/2011 06:59 PM, Michael Ströder wrote:
>> HI!
>>
>> We have {SSHA}-hashed passwords in attribute userPassword.
>>
>> One application sends CompareRequests with the clear-text password instead of
>> a BindRequest to validate the password which obviously fails. The application
>> vendor claims it is too much effort to change that behaviour in the
>> application. I guess this can only be solved in slapd by a custom overlay
>> intercepting the CompareRequest (which is effort too).
> 
> I guess the purpose is to authenticate.  In that case, the app should use the
> bind operation (simple bind, in this case).
> 
> An overlay would basically need to take the value from the compare request,
> put it into a bind request structure, call the frontend's bi_op_bind() hook. 
> The custom overlay would probably be 10 to 100 lines of code, and most of the
> headache would come from trading code duplication (rewrite simple bind code)
> with having to deal with intercepting bind responses, which is a mess
> (successful ones are delegated to the frontend, unsuccessful ones are directly
> dealt with by the hook).
> 
> The application would need how many lines of code? two? three?

Pierangelo I really appreciate that you double my arguments... ;-)

But decisions are sometimes influenced by other priorities beyond pure
technical aspects.

Anyway the guy who's supposed to implement such an overlay will appreciate
your technical hints above.

Ciao, Michael.