[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#7278) [PATCH] SHA-2: Add support salted SHA-2 password hashes
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#7278) [PATCH] SHA-2: Add support salted SHA-2 password hashes
- From: hyc@symas.com
- Date: Tue, 29 May 2012 17:43:50 GMT
- Auto-submitted: auto-generated (OpenLDAP-ITS)
Quanah Gibson-Mount wrote:
> --On Tuesday, May 29, 2012 4:08 PM +0000 hyc@symas.com wrote:
>
>>> It is a problem that a slappasswd user must have read privilage
>>> on slapd.conf (or slapd.d) by this patch...
>>
>> slappasswd is an administrative command; if you don't have administrator
>> access already you have no business running it.
>
> What in any way makes it administrative? You simply give it a password to
> convert into whatever scheme for you. Where is the administrative
> requirement? Why shouldn't X user with some particular permissions into
> the database, but not the configuration, be able to run it to generate a
> value?
slap*(8) are all administrative tools, by definition. You should already know
that.
Why should X user ever need to run this tool to generate a value? slapd
generates users' password values automatically. The only time anyone ever
*needs* this tool is for setting a rootpw in the slapd config. That's the only
reason this tool exists and it is the only valid use case.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/