IETF Logo Mail Archive

Re: [ldapext] [ldap] Re: draft-stroeder-hashed-userpassword-values-01

Michael Ströder <michael@stroeder.com> Thu, 14 March 2013 19:19 UTC

Return-Path: <michael@stroeder.com>
X-Original-To: ldapext@ietfa.amsl.com
Delivered-To: ldapext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02C4A11E811F for <ldapext@ietfa.amsl.com>; Thu, 14 Mar 2013 12:19:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.149
X-Spam-Level:
X-Spam-Status: No, score=-3.149 tagged_above=-999 required=5 tests=[AWL=0.150, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tvXhW7YknkLM for <ldapext@ietfa.amsl.com>; Thu, 14 Mar 2013 12:19:25 -0700 (PDT)
Received: from srv1.stroeder.com (srv1.stroeder.com [213.240.180.113]) by ietfa.amsl.com (Postfix) with ESMTP id F27D811E80F2 for <ldapext@ietf.org>; Thu, 14 Mar 2013 12:19:24 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by srv1.stroeder.com (Postfix) with ESMTP id A8C216030F; Thu, 14 Mar 2013 20:19:23 +0100 (CET)
X-Virus-Scanned: amavisd-new at stroeder.com
Received: from srv1.stroeder.com ([127.0.0.1]) by localhost (srv1.stroeder.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vB2aZCJ3K5Xh; Thu, 14 Mar 2013 20:19:17 +0100 (CET)
Received: from [10.1.0.2] (unknown [10.1.0.2]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by srv1.stroeder.com (Postfix) with ESMTPS id D27236027F; Thu, 14 Mar 2013 19:19:14 +0000 (UTC)
Message-ID: <514222B0.9090107@stroeder.com>
Date: Thu, 14 Mar 2013 20:19:12 +0100
From: Michael Ströder <michael@stroeder.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:19.0) Gecko/20100101 Firefox/19.0 SeaMonkey/2.16
MIME-Version: 1.0
To: Howard Chu <hyc@highlandsun.com>, ldapext <ldapext@ietf.org>
References: <5103F924.2070800@stroeder.com> <CABBgLkcnK7WfthFOBD5Esfz+g1izcKoGgtxzKKDntc0i=E7LOQ@mail.gmail.com> <510782A6.7050209@stroeder.com> <3ED81CD8-59DA-482E-8AFA-C68E53A62067@isode.com> <51410020.4020800@stroeder.com> <20130314001901.GN18706@slab.skills-1st.co.uk> <5141F560.6040805@highlandsun.com> <5142171C.6090807@stroeder.com> <51421EC9.6060502@highlandsun.com>
In-Reply-To: <51421EC9.6060502@highlandsun.com>
X-Enigmail-Version: 1.5.1
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="------------ms020405050500060001050609"
Cc: "ldap@umich.edu" <ldap@umich.edu>
Subject: Re: [ldapext] [ldap] Re: draft-stroeder-hashed-userpassword-values-01
X-BeenThere: ldapext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: LDAP Extension Working Group <ldapext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ldapext>, <mailto:ldapext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ldapext>
List-Post: <mailto:ldapext@ietf.org>
List-Help: <mailto:ldapext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ldapext>, <mailto:ldapext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Mar 2013 19:19:26 -0000

Howard Chu wrote:
> Michael Ströder wrote:
>> Howard Chu wrote:
>>> Hashed userPassword values are strictly a server-internal implementation
>>> detail, clients never need to know about them.
>>
>> Not true.
>>
>> 1. E.g. think of bulk sync processes where it's quite usual that you convert
>> password hashes within the LDAP client - in some cases even salted.
> 
> If you can convert from one hash to another, the hash is broken.

Conversion in this context means converting string representations of (salted)
hashes. Obviously the algorithm and order of password and salt has to be the same.

>> 3. In some cases it's more appropriate that a LDAP client writes several
>> attributes in a *single* LDAP write operation instead of using a add/modify
>> with a subsequent Password Modify ext. op. E.g. when subschema has 'MUST
>> userPassword' for an object class used.
> 
> Perhaps so. But this requires the client (or admin running the client) to
> already know what schemes the target server supports.

We all know that clients have to use some a priori knowledge - most times
called protocol. ;-)

Another use-cases is dealing with data migration to server product of another
vendor.

=> So I consider this draft to be useful.

> Finally, an objectclass that defines "MUST userPassword" also has to be
> considered broken. (Reminds me of groupOfNames / MUST member.)

That's simply your personal opinion not a strong objecting argument.

>>      userpasswordvalue  = cleartext-password / prefix hashed-password
> 
> I think you should replace "hashed-password" with "scheme-specific data" and
> stop there.

That's a conclusion of your opinion. But I want to describe the *order* of
password and salt used by any server I saw using the scheme.

> Provide examples for MD5/SHA/SHA-2 if you like, but emphasize that
> these are just informal examples.

The whole I-D has target "informational".

> There's no reason someone can't come along
> and use an unconstrained octet string after the scheme, if they really want to.

Yes. But this would just be another scheme to be defined somewhere else.
This draft does not claim to cover everything you could ever stuff into
'userPassword'.

Ciao, Michael.

v2.23.0 | Report a Bug | By Email