[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#7278) [PATCH] SHA-2: Add support salted SHA-2 password hashes



hyc@symas.com wrote:
> Michael Ströder wrote:
>> Howard Chu wrote:
>>> The text also states
>>>      The practice of storing hashed passwords in userPassword violates
>>>      Standard Track (RFC 4519) schema specifications and may hinder
>>>      interoperability.
>>
>> In practice we all live very well with this for years. That's least of a
>> problem today.
>>
>>> Anyone building operational procedures on something that violates the specs
>>> was asking for trouble. Users should be using ldappasswd, that's what it's for.
>>
>> ???
>>
>> ldappasswd writes a hashed password to - tataa - attribute 'userPassword'.
>> I cannot see how this is different from using ldapadd/ldapmodify.
> 
> Wrong, ldappasswd sends a PasswordModify exop to a server. The server may 
> implement that exop in any implementation-specific manner, and there is no 
> guarantee that the password a server uses is ever instantiated in any LDAP 
> entry. There is no guarantee that setting a userPassword attribute using 
> ldapadd/ldapmodify will ever do anything useful for any given LDAP user.

You're arguing based on what a LDAP server could do. I'm arguing based on what
OpenLDAP and other server implementations are doing for years.

None of what you said in this thread is a real argument against adding SHA-2
hash algos to the core. Still you did not answer why SHA-1 is in and SHA-2 is out.

Well, you're the OpenLDAP god. So you can arbitrarly decide whatever you want.
(But you shouldn't wonder why there's no active OpenLDAP community.)

Ciao, Michael.