RFC 3112 (rfc3112) - Page 1 of 9
LDAP Authentication Password Schema
Alternative Format: Original Text Document
Network Working Group K. Zeilenga
Request for Comments: 3112 OpenLDAP Foundation
Category: Informational May 2001
LDAP Authentication Password Schema
Status of this Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2001). All Rights Reserved.
Abstract
This document describes schema in support of user/password
authentication in a LDAP (Lightweight Directory Access Protocol)
directory including the authPassword attribute type. This attribute
type holds values derived from the user's password(s) (commonly using
cryptographic strength one-way hash). authPassword is intended to
used instead of userPassword.
1. Background and Intended Use
The userPassword attribute type [RFC 2256] is intended to be used to
support the LDAP [RFC 2251] "simple" bind operation. However, values
of userPassword must be clear text passwords. It is often desirable
to store values derived from the user's password(s) instead of actual
passwords.
The authPassword attribute type is intended to be used to store
information used to implement simple password based authentication.
The attribute type may be used by LDAP servers to implement the LDAP
Bind operation's "simple" authentication method.
The attribute type supports multiple storage schemes. A matching
rule is provided for use with extensible search filters to allow
clients to assert that a clear text password "matches" one of the
attribute's values.
Storage schemes often use cryptographic strength one-way hashing.
Though the use of one-way hashing reduces the potential that exposed
values will allow unauthorized access to the Directory (unless the
Zeilenga Informational
