[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#7278) [PATCH] SHA-2: Add support salted SHA-2 password hashes
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#7278) [PATCH] SHA-2: Add support salted SHA-2 password hashes
- From: hyc@symas.com
- Date: Tue, 29 May 2012 18:05:10 GMT
- Auto-submitted: auto-generated (OpenLDAP-ITS)
Michael Ströder wrote:
> hyc@symas.com wrote:
>> Why should X user ever need to run this tool to generate a value?
>
>>From slappasswd(8):
>
> DESCRIPTION
> Slappasswd is used to generate an userPassword value suitable
> for use with ldapmodify(1), slapd.conf(5) rootpw configuration
> directive or the slapd-config(5) olcRootPW configuration directive.
>
> Do you want to restrict this text regarding ldapmodify(1) only for the cases
> that the slappasswd user has also write access to back-config?
We could probably delete that ldapmodify(1) reference. Technically it has
always been wrong, since there's never been any guarantee that an LDAP user's
password was ever stored in any user-accessible attribute.
> Of course your are the OpenLDAP boss. You can change everything to make it
> work for you. But it breaks existing operational procedures for other people.
The text also states
The practice of storing hashed passwords in userPassword violates
Standard Track (RFC 4519) schema specifications and may hinder
interoperability.
Anyone building operational procedures on something that violates the specs
was asking for trouble. Users should be using ldappasswd, that's what it's for.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/