Re: [ldapext] DBIS - new IETF drafts

Mark R Bannister <> Fri, 10 January 2014 14:37 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 8AC5C1AE01E for <>; Fri, 10 Jan 2014 06:37:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id W7HMn6Fs-1k7 for <>; Fri, 10 Jan 2014 06:37:21 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 0D1A71AD68A for <>; Fri, 10 Jan 2014 06:37:21 -0800 (PST)
Received: from ([] helo=[]) by with esmtpa (Exim 4.71) (envelope-from <>) id 1W1dCw-0001Z2-LF; Fri, 10 Jan 2014 14:37:10 +0000
Message-ID: <>
Date: Fri, 10 Jan 2014 14:36:45 +0000
From: Mark R Bannister <>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: Luke Howard <>
References: <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Mailcore-Auth: 12040446
X-Mailcore-Domain: 1286164
Cc: Ldapext <>, Andrew Findlay <>, =?ISO-8859-1?Q?Mich?= =?ISO-8859-1?Q?ael_Str=F6der?= <>
Subject: Re: [ldapext] DBIS - new IETF drafts
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: LDAP Extension Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 10 Jan 2014 14:37:22 -0000

On 10/01/2014 14:15, Luke Howard wrote:
>>> Every LDAP-aware client system that I have worked with can use the
>>> bind operation as a means to validate passwords, so the only
>>> possible excuse for exporting hashes is temporary support of
>>> migrating systems. If you only allow the export of hashes that are
>>> actually needed by the old non-LDAP systems then at least you are
>>> not making matters worse than they were before the migration.
>> Ok, so I posed this question just now, but can all LDAP servers you can think of authentication bind operations using CRYPT-style passwords?  If it can be done server-side there'll be no problem here and we need never expose the hashes to clients.
> Active Directory cannot.
> -- Luke

Thanks Luke.  Everywhere I have seen UNIX accounts deployed on AD, 
Kerberos password authentication has been used, so in those places it 
would not be an issue.  However, I cannot possibly know how many people 
out there rely on CRYPT hashes in AD attributes, and I'm not about to 
cut off the possibly of them migrating to DBIS.  CRYPT will therefore 
have to remain as an option, although I'm perfectly happy to put 
stronger wording around it.  So far I have written:

    While a DUA MAY implement any authentication password scheme
    supported by the DSA, it MUST support the CRYPT scheme for backwards
    compatibility, which is an implementation of the traditional UNIX
    crypt algorithm.  However, it is RECOMMENDED that a more secure
    scheme is used.

and ...

    Passwd and group database entries contain encrypted passwords and
    SHOULD be transmitted securely when transferred between DSA and DUA
    to prevent eavesdropping.  A DUA SHOULD NOT allow a user to see any
    encrypted passwords except they MAY see the password on their own
    posixUserAccount entry in encrypted form.

Open to suggestions on how to reword this.

Best regards,