Pierangelo Masarati wrote:
On 09/27/2011 06:59 PM, Michael Ströder wrote:
HI!
We have {SSHA}-hashed passwords in attribute userPassword.
One application sends CompareRequests with the clear-text password instead of a BindRequest to validate the password which obviously fails. The application vendor claims it is too much effort to change that behaviour in the application. I guess this can only be solved in slapd by a custom overlay intercepting the CompareRequest (which is effort too).
I guess the purpose is to authenticate. In that case, the app should use the bind operation (simple bind, in this case).
An overlay would basically need to take the value from the compare request, put it into a bind request structure, call the frontend's bi_op_bind() hook. The custom overlay would probably be 10 to 100 lines of code, and most of the headache would come from trading code duplication (rewrite simple bind code) with having to deal with intercepting bind responses, which is a mess (successful ones are delegated to the frontend, unsuccessful ones are directly dealt with by the hook).
The application would need how many lines of code? two? three?
Pierangelo I really appreciate that you double my arguments... ;-)
But decisions are sometimes influenced by other priorities beyond pure technical aspects.
Anyway the guy who's supposed to implement such an overlay will appreciate your technical hints above.
Ciao, Michael.