It seems very unreasonable, but it may be a problem of openldap, it seems
that it don't expect the hashing algotithm to be indicated in the string.
Using set_password (extended control intreface), always SMD5 the given
password string, and must be given in clear for it to work
I feel compeled to make a test with all te posible combinatios of: no hash
algorithm, all hash algorithms: MD5, SMD5, SHA, SSHA, pass in clear or base
64 encoded, and using replace and set_password to set the newpass.
I will post latter the results.
Hans
On Fri, 10 Nov 2006 06:29:46 +0000, Chris Ridd wrote
> On 9/11/06 11:03, Quanah Gibson-Mount <[EMAIL PROTECTED]> wrote:
>
> > Why are you base64 encoding the value yourself? There is no need for
you
> > to do that. It'll happen automatically when added to the LDAP server.
> >
> > Basically, you are base64 encoding the word "foo", then then sticking
{MD5}
> > in front of that. Then the LDAP server is base 64 encoding that string
> > value.
>
> If the server's blindly doing that, then it is stupid (IMHO). A more
> reasonable way for a server to behave is for it to allow for the user
> providing pre-hashed (and formatted) passwords in add and modify
> operations, which has the obvious benefit of not sending plaintext
> passwords over the wire, and secondly it allows the user to choose
> which hash algorithm they want.
>
> We do exactly that in our server (which is why I think it is more
reasonable
> :-) and it works very well.
>
> > replace=>{'userPassword'=>"{MD5}foo"});
>
> I'd remove the "{MD5}" from that as well.
>
> But as Graham said, likely one of the confusions is that the LDIF
> dump will also base64-encode the value.
>
> Cheers,
>
> Chris
Hans Christian Poo Rocco, Gerente General WeLinux.S.A.
Of: 672.93.18, Cel: 09-319.93.05, [EMAIL PROTECTED], http://www.welinux.cl
Nataniel Cox # 210 Of 56, Santiago de Chile
