[JDEV] digest and ldap and authentication
Jerrad Pierce
belg4mit at CALLOWAY.MIT.EDU
Sun Jul 30 10:52:06 CDT 2000
In reply to your message from the not too distant future: next Sunday AD
Reply-to: belg4mit at mit.edu
Return-receipt-to: belg4mit at mit.edu
Organization: a) Discordia b) none c) what's that?
Content-Typo: gibberish, charset=ascii-art
Date: Sun, 30 Jul 2000 11:52:03 EDT
From: Jerrad Pierce <belg4mit>
None of this really has to be a problem...
Why are you under the impression you must pass the data to LDAP in plaintext?
If the client provides the data hashed, then store that hash in LDAP's
password field... To authenticate, take the hash the client supplies,
and use the standard mechanism for verifying a password w/ LDAP.
So LDAP doesn't have a direct copy f the password, big deal. If at least
one of the hashing algorythms is used is sufficiently god, all is well.
And it could be argued that this is more secure. Since the server has no real
knowledge of the password.
This is kinda the whole point behind OTP (RFC 1938)
Additionally, you don't really need SSL to have encrypted connections either.
A chaining block cipher would work just as well. For examples see the HCE::*
modules for Perl.
--
* __ * .
\ | / . . . . . ((_
_____ . . .
-- / \ -- . . . + . . _/\
oooooooooo. | * . . . * / ;M\_ .
.oooooooooooo.oo. . . . . /\ . / :IMM\
..oooooooooooo..oo. Jerrad Pierce /\ / \ / ;IIWMM
..oooooooooo....... 209 North Street + / \ / \ . / ;IIIIWM
...ooooooooo....... Randolph, MA 02368 / \ \ ___/ :;IIIIIWM
....ooo....o....... / \ \ / :: ;;IIIMI
.....ooo......... http://www.pthbb.org / \ \ : :::;IIIM
..ooooooo.... __________________________ || || ::.....::::::
MOTD on Sweetmorn, the 65th of Confusion, in the YOLD 3166:
Your ignorance cramps my conversation.
More information about the JDev
mailing list