Dismiss
InnovationQ will be updated on Sunday, Oct. 22, from 10am ET - noon. You may experience brief service interruptions during that time.
Browse Prior Art Database

LDAP Authentication Password Schema (RFC3112)

IP.com Disclosure Number: IPCOM000005300D
Original Publication Date: 2001-May-01
Included in the Prior Art Database: 2001-Aug-21
Document File: 10 page(s) / 17K

Publishing Venue

Internet Society Requests For Comment (RFCs)

Related People

K. Zeilenga: AUTHOR

Abstract

This document describes schema in support of user/password authentication in a LDAP (Lightweight Directory Access Protocol) directory including the authPassword attribute type. This attribute type holds values derived from the user's password(s) (commonly using cryptographic strength one-way hash). authPassword is intended to used instead of userPassword.

This text was extracted from a ASCII document.
This is the abbreviated version, containing approximately 19% of the total text.

Network Working Group K. Zeilenga Request for Comments: 3112 OpenLDAP Foundation Category: Informational May 2001

LDAP Authentication Password Schema

Status of this Memo

This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.

Copyright Notice

Copyright (C) The Internet Society (2001). All Rights Reserved.

Abstract

This document describes schema in support of user/password authentication in a LDAP (Lightweight Directory Access Protocol) directory including the authPassword attribute type. This attribute type holds values derived from the user's password(s) (commonly using cryptographic strength one-way hash). authPassword is intended to used instead of userPassword.

1. Background and Intended Use

The userPassword attribute type [RFC2256] is intended to be used to support the LDAP [RFC2251] "simple" bind operation. However, values of userPassword must be clear text passwords. It is often desirable to store values derived from the user's password(s) instead of actual passwords.

The authPassword attribute type is intended to be used to store information used to implement simple password based authentication. The attribute type may be used by LDAP servers to implement the LDAP Bind operation's "simple" authentication method.

The attribute type supports multiple storage schemes. A matching rule is provided for use with extensible search filters to allow clients to assert that a clear text password "matches" one of the attribute's values.

Storage schemes often use cryptographic strength one-way hashing. Though the use of one-way hashing reduces the potential that exposed values will allow unauthorized access to the Directory (unless the

Zeilenga Informational [Page 1]

RFC 3112 LDAP Authentication Password Schema May 2001

hash algorithm/implementation is flawed), the hashing of passwords is intended to be as an additional layer of protection. It is RECOMMENDED that hashed values be protected as if they were clear text passwords.

This attribute may be used in conjunction with server side password generation mechanisms (such as the LDAP Password Modify [RFC3062] extended operation).

Access to this attribute may governed by administrative controls such as those which implement password change policies.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", and "MAY" in this document are to be interpreted as described in RFC 2119 [RFC2119].

2. Schema Definitions

The following schema definitions are described in terms of LDAPv3 Attribute Syntax Definitions [RFC2252] with specific syntax detailed using Augmented BNF [RFC2234].

2.1. authPasswordSyntax

1.3.6.1.4.1.4203.1.1.2

DESC 'authentication password syntax'

Values of this syntax a...