[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: SASL secrets in LDAP
> -----Original Message-----
> From: owner-openldap-devel@OpenLDAP.org
> [mailto:owner-openldap-devel@OpenLDAP.org]On Behalf Of Lawrence Greenfield
> Date: Mon, 06 May 2002 17:14:03 -0700
> From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
> Cc: <openldap-devel@OpenLDAP.org>
>
> At 05:02 PM 2002-05-06, Howard Chu wrote:
> >For many good reasons, we discourage the storage of plaintext
> passwords in
> >LDAP.
>
> Yes, but if userPassword is plaintext (as it really should be, see
> RFC 2256), then we can certainly use it for DIGEST-MD5.
>
> Also, remember that the DIGEST-MD5 password hash is sufficient for
> authentication (it is not a one-way hash like /etc/passwd).
Good points. OK, sounds like generating the hash is a lot of unnecessary
effort since it needs as much protection as the plaintext. Might as well
just use the userPassword attribute as-is then. Simplifies life
considerably...
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support