[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slurpd -d9 --- Invalid credentials

To: openLDAP software <openldap-software@OpenLDAP.org>
Subject: Re: slurpd -d9 --- Invalid credentials
From: Paul Kölle <pkoelle@gmail.com>
Date: Sun, 13 Aug 2006 10:16:52 +0200
In-reply-to: <7.0.1.0.0.20060812112639.022fa830@OpenLDAP.org>
References: <7.0.1.0.0.20060808122330.03b0ed58@OpenLDAP.org> <20060811231413.57954.qmail@web82715.mail.mud.yahoo.com> <7.0.1.0.0.20060812112639.022fa830@OpenLDAP.org>
User-agent: Thunderbird 1.5.0.5 (Windows/20060719)

Kurt D. Zeilenga wrote:
> Let me repeat using different words which Howard and others have
> already explained to you.
> 
> Password-based mechanisms require the client to knowledge of
> the actual password.  That password is either provided by a
> human or read from a password store.
I know this gets OT but shouldn't that read:

challenge-response based mechanisms (such as CRAM-MD5, DIGEST-MD5)
require the cleartext password to be stored on client and server?

It is my understanding you can have cleartext passwords on the wire
(sasl PLAIN, LOGIN, simple_bind,...) and store hashes on the server side
*OR* secure exchange of credentials with challenge-response mechanisms
(*-MD5) which require cleartext passwords on both sides. You cannot have
both.

cheers
 Paul

References:
- Re: slurpd -d9 --- Invalid credentials
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: slurpd -d9 --- Invalid credentials
  - From: Steven Wong <slqwong@yahoo.com>
- Re: slurpd -d9 --- Invalid credentials
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: ldapadd and referrals
Next by Date: Re: slurpd -d9 --- Invalid credentials
Index(es):
- Chronological
- Thread