[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: password hashes and simple binds




On Nov 23, 2013, at 12:10 PM, Dieter Klünter <dieter@dkluenter.de> wrote:

It is not that simple. 
RFC-2307 describes hashing schemes, but not {CLEARTEXT), man
slapd.conf(5) mentions {CLEARTEXT} as password-hash.
http://tools.ietf.org/id/draft-stroeder-hashed-userpassword-values-01.html
only refers to hashed userpassword values.
DIGEST-MD5 is a SASL mechanism which requires a cleartext password,
thus a hashing scheme of {CLEARTEXT} is valid for a SASL mechanism.

I consider this a bug.

{CLEARTEXT} was introduced as a means for configuring the server for userPassword values with no hash scheme (e.g., cleartext), it's not expected to appear in userPassword.

-- Kurt