Download Firefox: WindowsMac OS X
logo       
Google Custom Search
    AddThis Social Bookmark Button
<prev   next>

feature request: use EXOP for password changes: msg#00009

Subject: feature request: use EXOP for password changes 
OpenLDAP supports an EXOP for password changes. This means the hash
is not done by the client, but by the server with whatever scheme the
server is configured to use.

This could be added to the password change dialog as another option
(called "exop" or "use extended operation", for example) among the
schemes that are already there.

One benefit of this is for when one uses openldap's new password policy
overlay, which intercepts password changes and applies policies to them.
If supplying the password already as a hash, the policy can't be applied
because the clear text password is unknown. But if using exop, the
password is provided in clear text and the server can then test it for
the security policies that were configured. And, if the new password
passes the tests, it gets hashed by the server and stored.

The other benefit is that there is no risk of ever using a hash
algorithm or implementation that the server happens to not support.

There are some workarounds one can use while exop is not implemented in
luma: select "clear text" in luma and enable ppolicy_hash_cleartext on
the server. It's description says (emphasis mine):

       ppolicy_hash_cleartext
              Specify that cleartext  passwords  present  in  Add  and  Modify
              requests  should  be hashed before being stored in the database.
              This violates the  X.500/LDAP  information  model,  but  may  be
              needed  to  compensate for LDAP clients that don't use the Pass-
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
              word Modify extended operation to manage passwords.  It is  rec-
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
              ommended that when this option is used that compare, search, and
              read access be denied to all directory users.



-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  backtrace in massive user creation plugin, Andreas Hasenack
Previous by Thread:  backtrace in massive user creation plugin, Andreas Hasenack
Indexes:  [Date] [Thread] [Top] [All Lists]

    ^^^ ADDITIONAL NAVIGATION ^^^

Google Custom Search

Recently Viewed:
ietf.smime/1997...    org.activedir/2...    java.harmony.de...    php.phpmyadmin....    lib.wxwidgets.w...    web.html-tidy.t...    culture.region....    audio.emagic.so...    editors.jedit.u...    kde.devel.kopet...    fsf.europe.disc...    video.videolan....    bluez.devel/200...    mail.spam.greyl...    user-groups.lin...    debian.jp.user/...    network.netatal...    handhelds.tungs...    xfree86.cvs/200...    yellowdog.gener...    gis.grass.pkg.d...    sysutils.backup...    recreation.avia...   
Home | blog view, Court Document Archive (NEW!) | advertise | OSDir is an inevitable website. super tiny logo