[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: OpenLDAP / GUI client password compatibility: advice requested

To: Chris.Betts@ca.com
Subject: RE: OpenLDAP / GUI client password compatibility: advice requested
From: Luke Howard <lukeh@PADL.COM>
Date: Tue, 16 Dec 2003 12:15:47 +1100
Cc: Kurt@OpenLDAP.org, openldap-devel@OpenLDAP.org
Organization: PADL Software Pty Ltd
Versions: dmail (bsd44) 2.4c/makemail 2.9d

>Excellent.  So in short, the whole idea of client hashing of
>userPassword is slightly daft.  Correct JXplorer behaviour would be to

Right, this behaviour was introduced by Netscape Directory Server 1.0
and AFAIK is principally manifest in the descendent directory servers
(iPlanet, Sun ONE).

Active Directory and NDS do similar things: in Active Directory, you
are required to modify the unicodePwd attribute (which is a UCS2-LE
cleartext password enclosed in double quotes) and in NDS, the behaviour
is similar to Netscape except that you must first "delete" the old
cleartext password to prove that you know. In pam_ldap we chose to 
make which client-side behaviour to use a runtime option but obviously
automatic discovery would be nicer.

-- Luke

Prev by Date: RE: commit: ldap/servers/slapd acl.c aclparse.c ad.c controls.c repl.c search.c sessionlog.c slap.h
Next by Date: RE: commit: ldap/servers/slapd acl.c aclparse.c ad.c controls.c repl.c search.c sessionlog.c slap.h
Index(es):
- Chronological
- Thread