9:04 a.m.
Hi,
We are looking at extending the allowed length of passwords we allow people to use (the
theory being that a short phrase is easier to remember than a shorter, but arbitrary
string of characters). But since we use our ldap server for authentication to a whole
host of online tools, including several portals, I need to know the max length of the
source password when doing a bind.
Thanks,
Rob
Rob Tanner
UNIX Services Manager
Linfield College, McMinnville Oregon
ITS will never ask you for your password. Please don’t share yours with anyone!
12:46 p.m.
Rob Tanner wrote:
Hi,
We are looking at extending the allowed length of passwords we allow people to
use (the theory being that a short phrase is easier to remember than a
shorter, but arbitrary string of characters). But since we use our ldap
server for authentication to a whole host of online tools, including several
portals, I need to know the max length of the source password when doing a bind.
There are no maximum lengths in LDAP. Limits imposed by other applications
depend on the particular application.
Thanks,
Rob
*Rob Tanner*
UNIX Services Manager
Linfield College, McMinnville Oregon
*ITS will never ask you for your password. Please don’t share yours with anyone!
*
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
11:17 p.m.
New subject: Antw: Re: Max length allowed for a password
>> Howard Chu <hyc(a)symas.com> schrieb am 09.12.2013 um
21:46 in Nachricht
<52A62C26.8080501(a)symas.com>:
Rob Tanner wrote:
> Hi,
>
> We are looking at extending the allowed length of passwords we allow people
to
> use (the theory being that a short phrase is easier to remember than a
> shorter, but arbitrary string of characters). But since we use our ldap
> server for authentication to a whole host of online tools, including
several
> portals, I need to know the max length of the source password
when doing a
bind.
There are no maximum lengths in LDAP. Limits imposed by other applications
depend on the particular application.
Right, but what about typical input buffer lengths in the openLDAP tools (like
ldapsearch)?
>
> Thanks,
> Rob
>
>
>
>
> *Rob Tanner*
> UNIX Services Manager
> Linfield College, McMinnville Oregon
>
> *ITS will never ask you for your password. Please don’t share yours with
anyone!
> *
>
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
11:53 p.m.
New subject: Antw: Re: Max length allowed for a password
Ulrich Windl wrote:
>>> Howard Chu <hyc(a)symas.com> schrieb am 09.12.2013 um
21:46 in Nachricht
<52A62C26.8080501(a)symas.com>:
> Rob Tanner wrote:
>> Hi,
>>
>> We are looking at extending the allowed length of passwords we allow people
> to
>> use (the theory being that a short phrase is easier to remember than a
>> shorter, but arbitrary string of characters). But since we use our ldap
>> server for authentication to a whole host of online tools, including
several
>> portals, I need to know the max length of the source password when doing a
> bind.
>
> There are no maximum lengths in LDAP. Limits imposed by other applications
> depend on the particular application.
Right, but what about typical input buffer lengths in the openLDAP tools (like
ldapsearch)?
Part of the point of the open source movement is to allow end users to read
the source and see what the code they use actually does. This is a cornerstone
of free software, and a key distinction between it and proprietary software.
Learn to exercise this freedom.
Since LDAP imposes no limits on the maximum length of a password, it would be
moronic for OpenLDAP software to impose limits of its own; that would prevent
the tools from working with all possible LDAP servers. You can either trust
that we are not morons, or distrust that and use something else instead, or
read the source and see for yourself. Whatever choice, your question was a
waste of time.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
12:12 a.m.
New subject: Antw: Re: Max length allowed for a password
>> Howard Chu <hyc(a)symas.com> schrieb am 13.12.2013 um
08:53 in Nachricht
<52AABCE1.4060805(a)symas.com>:
Ulrich Windl wrote:
>>>> Howard Chu <hyc(a)symas.com> schrieb am 09.12.2013 um 21:46 in
Nachricht
> <52A62C26.8080501(a)symas.com>:
>> Rob Tanner wrote:
>>> Hi,
>>>
>>> We are looking at extending the allowed length of passwords we allow people
>
>> to
>>> use (the theory being that a short phrase is easier to remember than a
>>> shorter, but arbitrary string of characters). But since we use our ldap
>>> server for authentication to a whole host of online tools, including
> several
>>> portals, I need to know the max length of the source password when doing a
>
>> bind.
>>
>> There are no maximum lengths in LDAP. Limits imposed by other applications
>> depend on the particular application.
>
> Right, but what about typical input buffer lengths in the openLDAP tools
(like
> ldapsearch)?
Part of the point of the open source movement is to allow end users to read
the source and see what the code they use actually does. This is a
cornerstone
of free software, and a key distinction between it and proprietary software.
Excellent answer: "man slapd"
---
NAME
slapd - Use the source, Luke!
SYNOPSIS
Use the source, Luke!
DESCRIPTION
Use the source, Luke!
OPTIONS
Use the source, Luke!
SEE ALSO
Use the source, Luke!
BUGS
Use the source, Luke!
ACKNOWLEDGEMENTS
Use the source, Luke!
---
;-)
Learn to exercise this freedom.
Since LDAP imposes no limits on the maximum length of a password, it would
be
moronic for OpenLDAP software to impose limits of its own; that would
prevent
the tools from working with all possible LDAP servers. You can either trust
that we are not morons, or distrust that and use something else instead, or
read the source and see for yourself. Whatever choice, your question was a
waste of time.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
11:57 p.m.
New subject: Antw: Re: Max length allowed for a password
On 2013-12-13 08:17, Ulrich Windl wrote:
>> Howard Chu <hyc(a)symas.com> schrieb am 09.12.2013
>> There are no maximum lengths in LDAP. Limits imposed by other
>> applications
> depend on the particular application.
Right, but what about typical input buffer lengths in the openLDAP
tools (like
ldapsearch)?
Right... libldap has "#define LDIF_MAXLINE 4096", you must wrap
longer lines (start each continuation line with a space).
That doesn't impose a max length of the attribute value though.
--
Hallvard
3:20 a.m.
New subject: Antw: Re: Max length allowed for a password
On 2013-12-13 08:57, Hallvard Breien Furuseth wrote:
On 2013-12-13 08:17, Ulrich Windl wrote:
>>> Howard Chu <hyc(a)symas.com> schrieb am 09.12.2013
>>> There are no maximum lengths in LDAP. Limits imposed by other
>>> applications
>> depend on the particular application.
> Right, but what about typical input buffer lengths in the openLDAP
> tools (like
> ldapsearch)?
Right... libldap has "#define LDIF_MAXLINE 4096", you must wrap
longer lines (start each continuation line with a space).
That doesn't impose a max length of the attribute value though.
More to the point, ldapsearch() & co use getpassphrase() if available,
and a Solaris manpage says it limits input to 257 chars.
The fallback implementation in OpenLDAP liblutil allows 512
including the final \0.
--
Hallvard
5:30 a.m.
New subject: Antw: Re: Max length allowed for a password
Hallvard Breien Furuseth wrote:
On 2013-12-13 08:57, Hallvard Breien Furuseth wrote:
> On 2013-12-13 08:17, Ulrich Windl wrote:
>>>> Howard Chu <hyc(a)symas.com> schrieb am 09.12.2013
>>>> There are no maximum lengths in LDAP. Limits imposed by other
>>>> applications
>>> depend on the particular application.
>> Right, but what about typical input buffer lengths in the openLDAP
>> tools (like
>> ldapsearch)?
>
> Right... libldap has "#define LDIF_MAXLINE 4096", you must wrap
> longer lines (start each continuation line with a space).
> That doesn't impose a max length of the attribute value though.
More to the point, ldapsearch() & co use getpassphrase() if available,
and a Solaris manpage says it limits input to 257 chars.
The fallback implementation in OpenLDAP liblutil allows 512
including the final \0.
This is not conclusive though. There is no limit on passwords passed on the
commandline, nor on passwords read from a file.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
3456
days inactive
3460
days old
openldap-technical@openldap.org
7 comments
4 participants
participants (4)
-
Hallvard Breien Furuseth -
Howard Chu -
Rob Tanner -
Ulrich Windl