[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: authentification issue with clear text password



On Wed, 15 Feb 2012 16:35:38 +0200, Szilard Gyorgy wrote:
Hi Hallvard

I use the compare tool just for testing

The problem is when I try to login to my Cisco router (using ldap) I
got compare false error message.
After that I tested the same password with this tool and I got the
same result.

That's working as intended.

If I give the same password what i used to login why not working ? Ok
is different encryption - how can I change it ?

The Bind operation treats the userPassword attribute specially and
pays attention to encryption, while the Compare operation just considers
userPassword an ordinary attribute and compares it as-is.  For Compare
to work, you must store the cleartext password with ldapmodify.
However slapd might be configured so Bind does not support cleartext
userPassword...

BTW, also note that tools like ldapsearch displays the password
base64-encoded.  The '::' after the attribute name indicates this.
That's a client-side matter, but might add some extra confusion.

PS: I need to have the compare function working with clear text
password  - if not working with the own ldap compare tool I can't
expect that will work with the router.

I hope you are testing the wrong thing.  I don't know do why you can't
expect that, it is working as specified after all.  But then, I don't
know how your router uses LDAP.  You can hide userPassword with access
controls so people only can compare and Bind, but not read it. But it's
better if the password can never be read.  In which case it also there
is also no need to store it in cleartext.

--
Hallvard