[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: OpenLDAP / GUI client password compatibility: advice requested

>Excellent.  So in short, the whole idea of client hashing of
>userPassword is slightly daft.  Correct JXplorer behaviour would be to

Right, this behaviour was introduced by Netscape Directory Server 1.0
and AFAIK is principally manifest in the descendent directory servers
(iPlanet, Sun ONE).

Active Directory and NDS do similar things: in Active Directory, you
are required to modify the unicodePwd attribute (which is a UCS2-LE
cleartext password enclosed in double quotes) and in NDS, the behaviour
is similar to Netscape except that you must first "delete" the old
cleartext password to prove that you know. In pam_ldap we chose to 
make which client-side behaviour to use a runtime option but obviously
automatic discovery would be nicer.

-- Luke