--On Wednesday, January 16, 2013 7:39 AM +0100 Michael Ströder michael@stroeder.com wrote:
Quanah Gibson-Mount wrote:
--On Tuesday, January 15, 2013 2:35 PM -0800 Ori Bani oribani@gmail.com wrote:
Why hasn't the sha2 module been migrated out of the contrib directory
The "core" of OpenLDAP tries to be as RFC compliant as possible. There is no RFC that I'm aware of that adds SHA2 support.
Sorry, this is an artificial argument which is simply not valid!
Can you tell me which RFC specifies how to handle LANMAN hashes (--enable-lmpasswd)? There are plenty similar examples...
OpenLDAP, like many software projects that have existed for numerous years, has grown in its development practices. Just because something was done incorrectly in the past is not a reason to continue doing so. Feel free to port lanman hashes to a contrib module.
I'm not an expert in security, so this is just my 2c. In general, as far as I recall, we tend to be pragmatic when appropriate. So asking a fancy useless feature to become mainstream because other fancy useless features made it long ago is pointless. But when it comes to security, I think it may be wise to break the rule every now and then.
I leave judgement to security experts, but in case I'd favour moving SHA-2 support to mainstream (or whatever other means makes it easier for packagers to include it without requiring users to compile it separately).
As I said, my 2c.
p.