> --On Wednesday, January 16, 2013 7:39 AM +0100 Michael Ströder > <[email protected]> wrote: > >> Quanah Gibson-Mount wrote: >>> --On Tuesday, January 15, 2013 2:35 PM -0800 Ori Bani >>> <[email protected]> wrote: >>>> Why hasn't the sha2 module been migrated out of the >>>> contrib directory >>> >>> The "core" of OpenLDAP tries to be as RFC compliant as possible. There >>> is no RFC that I'm aware of that adds SHA2 support. >> >> Sorry, this is an artificial argument which is simply not valid! >> >> Can you tell me which RFC specifies how to handle LANMAN hashes >> (--enable-lmpasswd)? There are plenty similar examples... > > OpenLDAP, like many software projects that have existed for numerous > years, > has grown in its development practices. Just because something was done > incorrectly in the past is not a reason to continue doing so. Feel free > to > port lanman hashes to a contrib module.
I'm not an expert in security, so this is just my 2c. In general, as far as I recall, we tend to be pragmatic when appropriate. So asking a fancy useless feature to become mainstream because other fancy useless features made it long ago is pointless. But when it comes to security, I think it may be wise to break the rule every now and then. I leave judgement to security experts, but in case I'd favour moving SHA-2 support to mainstream (or whatever other means makes it easier for packagers to include it without requiring users to compile it separately). As I said, my 2c. p. -- Pierangelo Masarati Associate Professor Dipartimento di Ingegneria Aerospaziale Politecnico di Milano
