[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP Password Policy draft...



Hi Ludovic,

The definition of the pwdInHistory (section 4.2.4) should also include the
text regarding hashed passwords. If the client hashes the password before
sending it over to the server (a recommended method, instead of sending 
cleartext passwords over the network and storing them as cleartext strings
on the server as well), the history cannot be verified.

To that end, I would also like to see an attribute (say,
'pwdSupportedSncryptionSchemes') added to the pwdPolicy objectclass, that
specifies the encryption schemes supported by the server. The clients can 
then make use of this value to decide which encryption scheme is to be used
to encrypt the password before sending it over for updates.

This attribute should be multi-valued, each value specifying a supported
encryption scheme. 

This would help protect against clients sending over a password of type
{MD5}oiwejr98wur98uw, and the server treating this whole string as a
plaintext password!!

Thanks,

-Subbu

On Fri, 20 Jul 2001, Ludovic Poitou wrote:

> Hi LDAP-Ext members,
> 
> A update to the LDAP Password Policy draft has been submited (and
> attached here by).
> 
> We did a general editing pass and modified the section 6 and 7 for
> conformance to rfc 2119 and the section 8 for clarification.
> The document is now complete and we would like to make it progress to
> Proposed Standard.
> We solicit your comments on the document.
> 
> Thank you and best regards,
> 
> Ludovic.
> 
> --
> Ludovic Poitou
> Sun Microsystems Inc.
> iPlanet E-Commerce Solutions - Directory Group - Grenoble - France
> 
> 
> 

--
Subbu Subramaniam
Mirapoint, Inc.
Tel: (408)720-3798
http://www.mirapoint.com