[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Newbie question: setting userPassword field



On Mon, 7 Feb 2000, John Kristian wrote:

> Dustin Sallings wrote:
> 
> > There are about 80 LDAP modules for Apache.  The one I use verifies the
> > password by binding as the user ...
> 
> That's a good, portable, future-proof technique.  It enables the LDAP client
> software to work correctly without any knowledge of (or dependency on) the
> LDAP server's password validation scheme and hash formats.
> 
> But I've heard developers argue that the LDAP client can be more efficient
> and/or secure, by performing password validation (hash-and-compare) itself,
> using password hashes read from the LDAP server.  Perhaps some of those 80
> developers implemented it that way.  I don't advocate (or even defend) that
> choice.  I merely think that, if they made that choice, they should follow
> through and support the hash formats in current use.

I'm one of those 80 module writers :-), so I'll jump in. 

I originally wrote my module because the only other module (at that time)
just did a password compare and I wanted it to do a bind for exactly the
reason John gives.

However, this does have a significant performance impact in the context of
HTTP, since credentials have to be validated for every request. Much of
the effort in the later versions of my module were devoted to improving
this performance, mostly by cacheing the results of the bind to offset
this cost. In my own ad hoc benchmarks, client-side caching of the bind
results actually doubled the throughput of the server.

But, if you have 10 child http's, that means that there are 10 caches that
have to be populated, so performance is still going to be affected. And if
the children exit after n requests, their caches go with them.

In future versions, I plan to offer the Apache administrator the choice of
either validating with a bind (portable & slow), or doing a client-side
compare using an admin-specified list of hash algorithms
(server-specific & fast). 

I'm pretty sure that the performance improvements from the client-side
compare will significant, but the portability will obviously be affected.
At least with OpenLDAP, I have access to the hash algorithms I need to 
use :-)

Regards,
Dave Carrigan
http://www.rudedog.org/