Re: [ldapext] DBIS - new IETF drafts

Luke Howard <lukeh@padl.com> Fri, 10 January 2014 14:15 UTC

Return-Path: <lukeh@padl.com>
X-Original-To: ldapext@ietfa.amsl.com
Delivered-To: ldapext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 27A5A1AE087 for <ldapext@ietfa.amsl.com>; Fri, 10 Jan 2014 06:15:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.44
X-Spam-Level:
X-Spam-Status: No, score=-2.44 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.538, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ly3yrMWKtFNM for <ldapext@ietfa.amsl.com>; Fri, 10 Jan 2014 06:15:28 -0800 (PST)
Received: from us.padl.com (us.padl.com [216.154.215.154]) by ietfa.amsl.com (Postfix) with ESMTP id 6C0241AE086 for <ldapext@ietf.org>; Fri, 10 Jan 2014 06:15:28 -0800 (PST)
Received: by us.padl.com with ESMTP id s0AEF4mo001067; Fri, 10 Jan 2014 09:15:09 -0500
Content-Type: text/plain; charset=iso-8859-1
Mime-Version: 1.0 (Mac OS X Mail 7.0 \(1822\))
From: Luke Howard <lukeh@padl.com>
In-Reply-To: <52CFFEAC.7070208@proseconsulting.co.uk>
Date: Sat, 11 Jan 2014 01:15:03 +1100
Content-Transfer-Encoding: quoted-printable
Message-Id: <C6DD84E6-0D5D-4F7A-90DF-46C382D4B06A@padl.com>
References: <52C9BED5.2080900@proseconsulting.co.uk> <52CAEA7D.5030002@highlandsun.com> <1389033674.27654.32.camel@pico.ipa.ssimo.org> <52CB2030.3010403@proseconsulting.co.uk> <1389050240.27654.67.camel@pico.ipa.ssimo.org> <52CDB6B2.2080406@proseconsulting.co.uk> <52CEBEAE.5090701@stroeder.com> <20140109174321.GV3938@slab.skills-1st.co.uk> <52CFFEAC.7070208@proseconsulting.co.uk>
To: Mark R Bannister <dbis@proseconsulting.co.uk>
X-Mailer: Apple Mail (2.1822)
X-SMTP-Vilter-Version: 1.3.6
X-Spamd-Symbols: AWL,BAYES_00,RDNS_NONE,USER_IN_WHITELIST
X-SMTP-Vilter-Spam-Backend: spamd
X-Spam-Threshold: 5.0
X-Spam-Probability: -20.4
Cc: Ldapext <ldapext@ietf.org>, Andrew Findlay <andrew.findlay@skills-1st.co.uk>, =?iso-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com>
Subject: Re: [ldapext] DBIS - new IETF drafts
X-BeenThere: ldapext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: LDAP Extension Working Group <ldapext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ldapext>, <mailto:ldapext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ldapext/>
List-Post: <mailto:ldapext@ietf.org>
List-Help: <mailto:ldapext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ldapext>, <mailto:ldapext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jan 2014 14:15:30 -0000

>> Every LDAP-aware client system that I have worked with can use the
>> bind operation as a means to validate passwords, so the only
>> possible excuse for exporting hashes is temporary support of
>> migrating systems. If you only allow the export of hashes that are
>> actually needed by the old non-LDAP systems then at least you are
>> not making matters worse than they were before the migration.
> 
> Ok, so I posed this question just now, but can all LDAP servers you can think of authentication bind operations using CRYPT-style passwords?  If it can be done server-side there'll be no problem here and we need never expose the hashes to clients.

Active Directory cannot.

-- Luke