[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: userPassword: {UNIX}uid [was: Authentication with UNIX username/password (ITS#212)]



At 10:58 PM 6/26/99 +0200, Julio Sanchez wrote:
>"Kurt D. Zeilenga" <Kurt@OpenLDAP.org> writes:
>> 	userPassword: {UNIX}uid
>I don't know...  A user that can change this to point to some other
>uid can then use slapd to crack that other uid password.

I actually think {UNIX} is safer than {CRYPT}.  It doesn't
expose the hash.  In fact, the administrator can disable
write access to the userPassword attribute to self!

Anyways, --disable-crypt turns this and {CRYPT} support off...

Would be nice if the slapd configuration support of userPassword
methods (and server side generation):
  passwordAttribute	userPassword
  passwordAllow	SSHA SMD5 SHA MD5
  passwordGenerate	SSHA

And, of course, a mechanism to completely disable userPassword
support in favor of (working) Kerberos V support.

Contributions welcomed...

Kurt