Re: courier-ldap: userPassword with and without {crypt} [patch]
On Wednesday 30 May 2001 22:56, Piotr Roszatycki wrote:
> Package: courier-ldap
> Version: 0.34.0-1
> Severity: wishlist
>
> I've got LDAP database with two accounts. The first has an userPassword in
> plain text, the second has userPassword with {crypt} prefix.
>
> dn: uid=dexter, ou=accounts, dc=test, dc=com
> objectClass: top
> userPassword: foobar
>
> dn: uid=user, ou=accounts, dc=test, dc=com
> objectClass: top
> userPassword: {crypt}FyeKCIKPtftEk
>
> The Courier authdaemon can't use plain and crypted password if they
> are stored in the same field.
>
> This is my patch for autodetection crypted password. The same behaviour
> has pam_ldap.so module.
Good work, that's a necessary feature.
But doesn't Courier support password authentication by binding to the LDAP?
When configuring LDAP I prefer to have applications chech the passwork by
binding, this way things can be configured so that the application lacks read
privs to the userPassword attribute and thus if a hostile user gets that
level of access they can't do anything other than a brute-force attack.
--
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/projects.html Projects I am working on
http://www.coker.com.au/~russell/ My home page
Reply to: