[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
OpenLDAP / GUI client password compatibility: advice requested
- To: <openldap-devel@OpenLDAP.org>
- Subject: OpenLDAP / GUI client password compatibility: advice requested
- From: "Betts, Chris" <Chris.Betts@ca.com>
- Date: Mon, 15 Dec 2003 10:21:07 +1100
- Content-class: urn:content-classes:message
- Thread-index: AcPCmPLwEt4TozUnQ7+dB8EuKPxilg==
- Thread-topic: OpenLDAP / GUI client password compatibility: advice requested
Hi Folks,
I'm the lead author of the open source 'JXplorer' ldap GUI project
(jxplorer.org - hosted on sourceforge).
We're received a number of requests from JXplorer users to allow
client side encryption of passwords for compatibility with openLDAP, and
some users have submitted patches to allow this, which is grand.
There seems to be some confusion though as to exactly what is
required. Since we want jxplorer to be as compatible with openLDAP as
possible, can I just check that the following usage is correct; it seems
a little unusual, and I need to make sure that I haven't got myself
confused. I did a search of the faqs and email archives, but they
haven't cleared up all of my questions.
When an administrator creates a new user entry, or adds a
userPassword for the first time, the userPassword value is passed in as
plain text - the server may (depending on configuration) 'encrypt' (one
way hash really) the value locally.
When a user binds using username/password, they enter their plain
text password - the server can then compute the 'encrypted' value for
the purpose of comparision.
When the user or administrator *modifies* an existing userPassword
attribute, they need to encrypt(hash) it on the client. This
modification is the *only* time that the client needs to encrypt the
value.
If the client accidently encrypted the userPassword value on
binding, the bind would fail.
If the client accidently encrypted the userPassword value on first
creation, later binds would fail.
Is this correct? Or is there some other way the client should work?
JXplorer is a generic ldap/dsml browser that attempts to work well with
all common ldap servers, and I want to make it easy for my users to work
well with openLDAP, so I'd like to avoid any misunderstandings, which is
why I haven't incorporated the patches I've been given quite yet :-).
cheers,
Chris
Dr Christopher Betts
Architect
CA, Melbourne, Australia
Dev Manager UDDI, DSML, JXplorer