Michael Ströder wrote:
Well, at first I simply wanted to ignore this completely.
But after Andrews request I've already changed it for upcoming -02 like this:
I think you need to re-read RFC5234.
userpasswordvalue = cleartext-password / prefix hashed-password
prefix = "{" scheme "}"
scheme = %x30-39 / %x41-5A / %x61-7a / %x2D-2F / %x5F
;0-9, A-Z, a-z, "-", ".", "/", or "_"
Should be something like
schemechar = %x30-39 / %x41-5A / %x61-7a / %x2D-2F / %x5F
scheme = 1*schemechar
hashed-password = b64-hashandsalt / crypt3-result
b64-hashandsalt = <base64 of hashandsalt>
hashandsalt = password-hash salt
password-hash = <digest of cleartext-password salt>
cleartext-password = %x00-FF
salt = %x00-FF
Should be something like
octet = %x00-FF
cleartext-password = 1*octet
salt = 0*octet
(Or perhaps you allow zero-length passwords? Don't care much either way.)
md5-hash = 16octet
sha1-hash = 20octet
...
crypt3-result = <generated by Unix function crypt(3)>
Please review this. Comments about clarity welcome.
Ciao, Michael.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
