Menu
▾
▴
Re: userpassword
|
From: Chris R. <chr...@me...> - 2001-07-04 08:12:37
|
David Bussenschutt <d.b...@ma...> wrote: > Of course, the easiest way to do a password compare without having to > worry about the encoding, or UTF, or any other directory specific stuff > is to try doing a bind as that user. > If you can bind, then the password was OK. > Isn't that easier than the other options given? Yes and no. When you send a bind to the server, internally it issues a compare operation against the userPassword attribute etc, so bind and compare should basically both work and fail identically when given the same input. The reason you might want to use compare instead of bind is because some servers will close the TCP connection when you unbind, which is a pain if you're trying to have your authentication code embedded in a long lived process, eg mod_perl. Also of course, it might be possible to bind as the manager of the server and then bind as user 'A', but not bind as user 'A' and then bind as user 'B' due to access controls. For a short-lived CGI script you can get away with creating a connection and doing a bind over it, but for a long-lived embedded script you want to keep the connection open as long as possible and therefore should bind once as the manager (or something equivalent) and then issue compare operations on demand. > David. > I assume that '_properly_encoded_password' is the encripted password held > by > the directory server because > the plain text password does not provide LDAP_COMPARE_TRUE. > > Is it possible to obtain username / password validation using perl-ldap > if I > have the plain text password. > I can use normal prompt for user / password for the CGI portion of my > program, but I also need to validate the user as part of a daemon request. > My security folks feel that passing the encripted password to the daemon > only proves that I was able to access the directory server and ask for the > encripted password. That is true, if the hash algorithm used doesn't use any 'salt'. For example a password hashed using SHA-1 or MD5 will always hash to the same value, but a password hashed using the traditional Unix crypt algorithm will hash to different values each time because of the extra randomness stirred in by the algorithm. If the server is storing hashed passwords, you should be binding/comparing with the plain text passwords. Consider using LDAPS or LDAPv3 startTLS if you want to prevent people from sniffing those passwords on your network. Cheers, Chris |
