[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: SASL secrets in LDAP
At 05:02 PM 2002-05-06, Howard Chu wrote:
>For many good reasons, we discourage the storage of plaintext passwords in
>LDAP.
Yes, but if userPassword is plaintext (as it really should be, see
RFC 2256), then we can certainly use it for DIGEST-MD5.
>(The above paragraphs assume that we add a {DIGEST-MD5} password scheme.
>It's not clear to me that this is the right thing to do, it really doesn't
>make sense for this hash to be available to a simple Bind.)
>
>Thoughts?
I wouldn't add another userPassword scheme. I'd use userPassword
in clear text or use authPassword (RFC 3112) (a scheme would have
to be added). Password-exop can be used to update either.
Kurt