分享
 
 
 

RFC3112 - LDAP Authentication Password Schema

王朝other·作者佚名  2008-05-31
窄屏简体版  字體: |||超大  

Network Working Group K. Zeilenga

Request for Comments: 3112 OpenLDAP Foundation

Category: Informational May 2001

LDAP Authentication PassWord Schema

Status of this Memo

This memo provides information for the Internet community. It does

not specify an Internet standard of any kind. Distribution of this

memo is unlimited.

Copyright Notice

Copyright (C) The Internet Society (2001). All Rights Reserved.

Abstract

This document describes schema in support of user/password

authentication in a LDAP (Lightweight Directory Access Protocol)

directory including the authPassword attribute type. This attribute

type holds values derived from the user's password(s) (commonly using

cryptographic strength one-way hash). authPassword is intended to

used instead of userPassword.

1. Background and Intended Use

The userPassword attribute type [RFC2256] is intended to be used to

support the LDAP [RFC2251] "simple" bind operation. However, values

of userPassword must be clear text passwords. It is often desirable

to store values derived from the user's password(s) instead of actual

passwords.

The authPassword attribute type is intended to be used to store

information used to implement simple password based authentication.

The attribute type may be used by LDAP servers to implement the LDAP

Bind operation's "simple" authentication method.

The attribute type supports multiple storage schemes. A matching

rule is provided for use with extensible search filters to allow

clients to assert that a clear text password "matches" one of the

attribute's values.

Storage schemes often use cryptographic strength one-way hashing.

Though the use of one-way hashing redUCes the potential that eXPosed

values will allow unauthorized access to the Directory (unless the

hash algorithm/implementation is flawed), the hashing of passwords is

intended to be as an additional layer of protection. It is

RECOMMENDED that hashed values be protected as if they were clear

text passwords.

This attribute may be used in conjunction with server side password

generation mechanisms (such as the LDAP Password Modify [RFC3062]

extended operation).

Access to this attribute may governed by administrative controls such

as those which implement password change policies.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",

"SHOULD", "SHOULD NOT", "RECOMMENDED", and "MAY" in this document are

to be interpreted as described in RFC2119 [RFC2119].

2. Schema Definitions

The following schema definitions are described in terms of LDAPv3

Attribute Syntax Definitions [RFC2252] with specific syntax detailed

using Augmented BNF [RFC2234].

2.1. authPasswordSyntax

( 1.3.6.1.4.1.4203.1.1.2

DESC 'authentication password syntax' )

Values of this syntax are encoded according to:

authPasswordValue = w scheme s authInfo s authValue w

scheme = %x30-39 / %x41-5A / %x2D-2F / %x5F

; 0-9, A-Z, "-", ".", "/", or "_"

authInfo = schemeSpecificValue

authValue = schemeSpecificValue

schemeSpecificValue = *( %x21-23 / %x25-7E )

; printable ASCII less "$" and " "

s = w SEP w

w = *SP

SEP = %x24 ; "$"

SP = %x20 ; " " (space)

where scheme describes the mechanism and authInfo and authValue are a

scheme specific. The authInfo field is often a base64 encoded salt.

The authValue field is often a base64 encoded value derived from a

user's password(s). Values of this attribute are case sensitive.

Transfer of values of this syntax is strongly discouraged where the

underlying transport service cannot guarantee confidentiality and may

result in disclosure of the values to unauthorized parties.

This document describes a number of schemes, as well as requirements

for the scheme naming, in section 3.

2.2. authPasswordExactMatch

( 1.3.6.1.4.1.4203.1.2.2

NAME 'authPasswordExactMatch'

DESC 'authentication password exact matching rule'

SYNTAX 1.3.6.1.4.1.4203.1.1.2 )

This matching rule allows a client to assert that an asserted

authPasswordSyntax value matches authPasswordSyntax values. It is

meant to be used as the EQUALITY matching rule of attributes whose

SYNTAX is authPasswordSyntax.

The assertion is "TRUE" if there is an attribute value which has the

same scheme, authInfo, and authValue components as the asserted

value; "FALSE" if no attribute value has the same components as the

asserted value; and "Undefined" otherwise.

2.3. authPasswordMatch

( 1.3.6.1.4.1.4203.1.2.3

NAME 'authPasswordMatch'

DESC 'authentication password matching rule'

SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} )

This matching rule allows a client to assert that a password matches

values of authPasswordSyntax using an extensibleMatch filter

component. Each value is matched per its scheme. The assertion is

"TRUE" if one or more attribute values matches the asserted value,

"FALSE" if all values do not matches, and "Undefined" otherwise.

Servers which support use of this matching rule SHOULD publish

appropriate matchingRuleUse values per [RFC2252], 4.4.

Transfer of authPasswordMatch assertion values is strongly

discouraged where the underlying transport service cannot guarantee

confidentiality and may result in disclosure of the values to

unauthorized parties.

2.4. supportedAuthPasswordSchemes

( 1.3.6.1.4.1.4203.1.3.3

NAME 'supportedAuthPasswordSchemes'

DESC 'supported password storage schemes'

EQUALITY caseExactIA5Match

SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32}

USAGE dSAOperation )

The values of this attribute are names of supported authentication

password schemes which the server supports. The syntax of a scheme

name is described in section 2.1. This attribute may only be present

in the root DSE. If the server does not support any password

schemes, this attribute will not be present.

2.5. authPassword

( 1.3.6.1.4.1.4203.1.3.4 NAME 'authPassword'

DESC 'password authentication information'

EQUALITY 1.3.6.1.4.1.4203.1.2.2

SYNTAX 1.3.6.1.4.1.4203.1.1.2 )

The values of this attribute are representative of the user's

password(s) and conform to the authPasswordSyntax described in 2.1.

The values of this attribute may be used for authentication purposes.

Transfer of authPassword values is strongly discouraged where the

underlying transport service cannot guarantee confidentiality and may

result in disclosure of the values to unauthorized parties.

2.6. authPasswordObject

( 1.3.6.1.4.1.4203.1.4.7 NAME 'authPasswordObject'

DESC 'authentication password mix in class'

MAY 'authPassword'

AUXILIARY )

Entries of this object class may contain authPassword attribute

types.

3. Schemes

This section describes the "MD5" and "SHA1" schemes. Other schemes

may be defined by other documents. Schemes which are not described

in an RFCSHOULD be named with a leading "X-" to indicate they are a

private or implementation specific scheme, or may be named using the

dotted-decimal representation [RFC2252] of an OID assigned to the

scheme.

3.1. MD5 scheme

The MD5 [RFC1321] scheme name is "MD5".

The authValue is the base64 encoding of an MD5 digest of the

concatenation the user password and salt. The base64 encoding of the

salt is provided in the authInfo field. The salt MUST be at least 64

bits long. Implementations of this scheme MUST support salts up to

128 bits in length.

Example:

Given a user "joe" who's password is "mary" and a salt of "salt",

the authInfo field would be the base64 encoding of "salt" and the

authValue field would be the base64 encoding of the MD5 digest of

"marysalt".

A match against an asserted password and an attribute value of this

scheme SHALL be true if and only if the MD5 digest of concatenation

of the asserted value and the salt is equal to the MD5 digest

contained in AuthValue. The match SHALL be undefined if the server

is unable to complete the equality test for any reason. Otherwise

the match SHALL be false.

Values of this scheme SHOULD only be used to implement simple

user/password authentication.

3.2. SHA1 scheme

The SHA1 [SHA1] scheme name is "SHA1".

The authValue is the base64 encoding of a SHA1 digest of the

concatenation the user password and the salt. The base64 encoding of

the salt is provided in the authInfo field. The salt MUST be at

least 64 bits long. Implementations of this scheme MUST support

salts up to 128 bits in length.

Example:

Given a user "joe" who's password is "mary" and a salt of "salt",

the authInfo field would be the base64 encoding of "salt" and the

authValue field would be the base64 encoding of the SHA1 digest of

"marysalt".

A match against an asserted password and an attribute value of this

scheme SHALL be true if and only if the SHA1 digest of concatenation

of the asserted value and the salt is equal to the SHA1 digest

contained in AuthValue. The match SHALL be undefined if the server

is unable to complete the equality test for any reason. Otherwise

the match SHALL be false.

Values of this scheme SHOULD only be used to implement simple

user/password authentication.

4. Implementation Issues

For all implementations of this specification:

Servers MAY restrict which schemes are used in conjunction with a

particular authentication process but SHOULD use all values of

selected schemes. If the asserted password matches any of the

stored values, the asserted password SHOULD be considered valid.

Servers MAY use other authentication storage mechanisms, such as

userPassword or an external password store, in conjunction with

authPassword to support the authentication process.

Servers that support simple bind MUST support the SHA1 scheme and

SHOULD support the MD5 scheme.

Servers SHOULD NOT publish values of authPassword nor allow

operations which expose authPassword values or AuthPasswordMatch

assertions to unless confidentiality protection is in place.

Clients SHOULD NOT initiate operations which provide or request

values of authPassword or make authPasswordMatch assertions unless

confidentiality protection is in place.

Clients SHOULD NOT assume that a successful AuthPasswordMatch,

whether by compare or search, is sufficient to gain directory

access. The bind operation MUST be used to authenticate to the

directory.

5. Security Considerations

This document describes how authentication information may be stored

in a directory. Authentication information MUST be adequately

protected as unintended disclosure will allow attackers to gain

immediate access to the directory as described by [RFC2829].

As flaws may be discovered in the hashing algorithm or with a

particular implementation of the algorithm or values could be subject

to various attacks if exposed, values of AuthPassword SHOULD be

protected as if they were clear text passwords. When values are

transferred, privacy protections, such as IPSEC or TLS, SHOULD be in

place.

Clients SHOULD use strong authentication mechanisms [RFC2829].

AuthPasswordMatch matching rule allows applications to test the

validity of a user password and, hence, may be used to mount an

attack. Servers SHOULD take appropriate measures to protect the

directory from such attacks.

Some password schemes may require CPU intensive operations. Servers

SHOULD take appropriate measures to protect against Denial of Service

attacks.

AuthPassword does not restrict an authentication identity to a single

password. An attacker who gains write access to this attribute may

store additional values without disabling the user's true

password(s). Use of policy aware clients and servers is RECOMMENDED.

The level of protection offered against various attacks differ from

scheme to scheme. It is RECOMMENDED that servers support scheme

selection as a configuration item. This allows for a scheme to be

easily disabled if a significant security flaw is discovered.

6. Acknowledgment

This document borrows from a number of IETF documents and is based

upon input from the IETF LDAPext working group.

7. Bibliography

[RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC1321,

April 1992

[RFC2219] Bradner, S., "Key words for use in RFCs to Indicate

Requirement Levels", BCP 14, RFC2119, March 1997.

[RFC2234] Crocker, D., Editor, P. Overell, "Augmented BNF for Syntax

Specifications: ABNF", RFC2234, November 1997.

[RFC2251] Wahl, M., Howes, T. and S. Kille, "Lightweight Directory

Access Protocol (v3)", RFC2251, December 1997.

[RFC2252] Wahl, M., Coulbeck, A., Howes, T., and S. Kille,

"Lightweight Directory Access Protocol (v3): Attribute

Syntax Definitions", RFC2252, December 1997.

[RFC2256] Wahl, A., "A Summary of the X.500(96) User Schema for use

with LDAPv3", RFC2256, December 1997.

[RFC2307] Howard, L., "An Approach for Using LDAP as a Network

Information Service", RFC2307, March 1998.

[RFC2829] Wahl, M., Alvestrand, H., Hodges, J. and R. Morgan,

"Authentication Methods for LDAP", RFC2829, June 2000.

[RFC3062] Zeilenga, K., "LDAP Password Modify Extended Operation",

RFC3062, February 2001.

[SHA1] NIST, FIPS PUB 180-1: Secure Hash Standard, April 1995.

8. Author's Address

Kurt D. Zeilenga

OpenLDAP Foundation

EMail: Kurt@OpenLDAP.org

9. Full Copyright Statement

Copyright (C) The Internet Society (2001). All Rights Reserved.

This document and translations of it may be copied and furnished to

others, and derivative works that comment on or otherwise explain it

or assist in its implementation may be prepared, copied, published

and distributed, in whole or in part, without restriction of any

kind, provided that the above copyright notice and this paragraph are

included on all such copies and derivative works. However, this

document itself may not be modified in any way, such as by removing

the copyright notice or references to the Internet Society or other

Internet organizations, except as needed for the purpose of

developing Internet standards in which case the procedures for

copyrights defined in the Internet Standards process must be

followed, or as required to translate it into languages other than

English.

The limited permissions granted above are perpetual and will not be

revoked by the Internet Society or its successors or assigns.

This document and the information contained herein is provided on an

"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING

TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING

BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION

HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF

MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Acknowledgement

Funding for the RFCEditor function is currently provided by the

Internet Society.

 
 
 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
2023年上半年GDP全球前十五强
 百态   2023-10-24
美众议院议长启动对拜登的弹劾调查
 百态   2023-09-13
上海、济南、武汉等多地出现不明坠落物
 探索   2023-09-06
印度或要将国名改为“巴拉特”
 百态   2023-09-06
男子为女友送行,买票不登机被捕
 百态   2023-08-20
手机地震预警功能怎么开?
 干货   2023-08-06
女子4年卖2套房花700多万做美容:不但没变美脸,面部还出现变形
 百态   2023-08-04
住户一楼被水淹 还冲来8头猪
 百态   2023-07-31
女子体内爬出大量瓜子状活虫
 百态   2023-07-25
地球连续35年收到神秘规律性信号,网友:不要回答!
 探索   2023-07-21
全球镓价格本周大涨27%
 探索   2023-07-09
钱都流向了那些不缺钱的人,苦都留给了能吃苦的人
 探索   2023-07-02
倩女手游刀客魅者强控制(强混乱强眩晕强睡眠)和对应控制抗性的关系
 百态   2020-08-20
美国5月9日最新疫情:美国确诊人数突破131万
 百态   2020-05-09
荷兰政府宣布将集体辞职
 干货   2020-04-30
倩女幽魂手游师徒任务情义春秋猜成语答案逍遥观:鹏程万里
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案神机营:射石饮羽
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案昆仑山:拔刀相助
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案天工阁:鬼斧神工
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案丝路古道:单枪匹马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:与虎谋皮
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:李代桃僵
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:指鹿为马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:小鸟依人
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:千金买邻
 干货   2019-11-12
 
推荐阅读
 
 
 
>>返回首頁<<
 
靜靜地坐在廢墟上,四周的荒凉一望無際,忽然覺得,淒涼也很美
© 2005- 王朝網路 版權所有