[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Compare-Request on hashed userPassword



On 29/09/11 17:51 +0200, Buchan Milne wrote:
On Wednesday, 28 September 2011 16:24:35 Dan White wrote:
We had a similar problem where Sun ILOM requires userPassword to be in a
Solaris compatible crypt format. We created a custom attribute, called
cryptedUserPassword, and populate it for the users that need access to the
device. Then we make use of slapd-relay and slapo-rwm, to present
cryptedUserPassword as userPassword when our relayed tree
(dc=example,dc=net,dc=ilom) is queried.

What benefit is this over having the userPassword be in CRYPT? In either case,
you're exposing weak passwords to a specific account. If an attacker could
gain access to userPassword, most likely they have easier access to the
cryptedUserPassword attribtue?

Yes, we have the same problem (but, this seems to be about the only really
irritating misfeature of the ILOM, compared to the manifold problems of HP
iLO).

And yes, I would much rather find an avenue to escalate this to Sun/Oracle
....

Do you mean?

userPassword: {CRYPT}$1$...

Presumably that would fail since ILOM is requesting userPassword and
comparing it locally, and would balk at the '{CRYPT}' substring.

I have the same ACLs configured for both userPassword and
cryptedUserPassword (custom attribute).

I don't have a business relationship with Oracle to open a ticket. Does
anyone have a point of contact at Oracle to submit feature requests to?

--
Dan White