[nssldap] Question about getspnam/getpwnam and ldap

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: "Markus Moeller" <huaraz [at] moeller.plus.com>
To: nssldap [at] padl.com
Cc: ldap-nis [at] padl.com
Subject: [nssldap] Question about getspnam/getpwnam and ldap
Date: Wed, 9 Jan 2008 13:03:07 -0000

Hi,

I am looking into replacing NIS with LDAP and came to a point where I stillneed to support getspnam/getpwnam for password checks as I have legacyapplications which can not be changed.

The question I have is how rfc 2307 is and should be enforced as I noticeddifferences between Linux and Solaris. The rfc says:


  userPassword values which do not adhere to this syntax MUST NOT be
  used for authentication. The DUA MUST iterate through the values of
  the attribute until a value matching the above syntax is found. Only
  if encryptedpassword is an empty string does the user have no
  password. DUAs are not required to consider encryption schemes which
  the client will not recognize; in most cases, it may be sufficient to
  consider only "crypt".

Firstly does/should getspnam enforce "userPassword values which do notadhere to this syntax MUST NOT be used for authentication" by rejectinguserpassword entries which don't follow rfc 2307 or is it up to theapplication since the rfc states "DUAs are not required to considerencryption schemes which the client will not recognize; in most cases, itmay be sufficient to consider only "crypt"." too (assuming getspnam innss_ldap is the DUA) ? Solaris seems to enforce it in getspnam whereasLinux doesn't. Also Windows 2003 R2 uses unixuserpassword (this entry can besynchronised with the Kerberos password in AD and is therefore preferred)which does not follow rfc2307 as it contains the hash without {crypt}.



The rfc states also:

 A DUA MAY utilise the attributes in the shadowAccount class to
  provide shadow password service (getspnam() and getspent()). In such
  cases, the DUA MUST NOT make use of the userPassword attribute for
  getpwnam() et al, and MUST return a non-matchable password (such as
  "x") to the client instead.

I noticed on Linux that provides the user with both the userpassword ingetpwnam and in getspnam. Is that against RFC 2307 ? Does this mean agetpwnam call need internally do a getspnam call to check if a password isprovided before returning to the application ?


Thank you
Markus

[nssldap] Question about getspnam/getpwnam and ldap, Markus Moeller

Re: [nssldap] Question about getspnam/getpwnam and ldap, Buchan Milne
- Re: [nssldap] Question about getspnam/getpwnam and ldap, Markus Moeller
  - Re: [nssldap] Question about getspnam/getpwnam and ldap, Buchan Milne

Prev by Date: Re: [nssldap] Question about getspnam/getpwnam and ldap
Next by Date: Re: [nssldap] Question about getspnam/getpwnam and ldap
Previous by thread: Re: [nssldap] No timeout for nss_ldap?
Next by thread: Re: [nssldap] Question about getspnam/getpwnam and ldap