[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Newbie question: setting userPassword field



At 06:45 PM 2/7/00 -0800, John Kristian wrote:
>Dan wrote:
>
>> ... when a web user wishes to authenticate themselves to Apache using LDAP,
>> an Apache mod_xLDAPx needs to convert a plaintext password into
>> {SHA}blablabla@#$^$# before it can be sent to OpenLDAP for comparisom and
>> authentication.  Is this correct?
>
>No; a simple LDAP Bind request containing a plaintext password (not a hash) may
>be used.  Other alternatives are possible, using LDAP Compare or other  forms
>of Bind.

Note that these other approaches are validating the userPassword,
not authenticating the user to the directory.  The difference
is not just semantics.  That is, the success of password compare
within an authentication process is likely only one step of many.
Servers are free to implement a wide range of other "steps",
including access time restrictions and password policies.

I reinterate:
	LDAP bind is the only portable and secure method of
	authenticating a user to the the directory.  Other
	methods may allow or disallow users inappropriately.

Kurt