Menu
▾
▴
Re: multi-valued userPassword attributes.
|
From: Chris R. <chr...@me...> - 2002-04-08 13:53:47
|
Clif Harden <cl...@di...> wrote:
>
>
> I have a question for the gurus of ldap.
>
> Does any one use multi-valued userPasswords?
> If multi-valued userPasswords are used could
> they have different encrption tags; {crypt}, {SHA}, etc.
The only real contraint the standards impose is that all values of an
attribute must compare different for equality.
Since the use of hashed password values is somewhat non-standard (they are
only loosely defined in an informational RFC) it is really something you
will need to ask your vendor about.
Off the top of my head there are two ways a server could implement hashed
password values:
1) by using special syntax handlers which were aware of the hashing
mechanisms
2) by doing simple textual comparisons on the values
For case 1) since it is impossible to compare two values using different
hashing schemes (eg {sha}1234 and {crypt}1234) unless you know the
plaintext values it is *probable* that your server will say these are
different values and hence permit one userPassword attribute to contain
multiple differently-hashed values.
In case 2) you can probably see it is going to work just fine, except that
some algorithms using salts (eg traditional Unix crypt) with the keys will
produce different hashed strings for the same value at different times so
some problems might arise.
Cheers,
Chris
|
