RFC 3112 (rfc3112) - Page 2 of 9

LDAP Authentication Password Schema

RFC 3112          LDAP Authentication Password Schema           May 2001


   hash algorithm/implementation is flawed), the hashing of passwords is
   intended to be as an additional layer of protection.  It is
   RECOMMENDED that hashed values be protected as if they were clear
   text passwords.

   This attribute may be used in conjunction with server side password
   generation mechanisms (such as the LDAP Password Modify [RFC 3062]
   extended operation).

   Access to this attribute may governed by administrative controls such
   as those which implement password change policies.

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", and "MAY" in this document are
   to be interpreted as described in RFC 2119 [RFC 2119].

2. Schema Definitions

   The following schema definitions are described in terms of LDAPv3
   Attribute Syntax Definitions [RFC 2252] with specific syntax detailed
   using Augmented BNF [RFC 2234].

2.1. authPasswordSyntax

      ( 1.3.6.1.4.1.4203.1.1.2
        DESC 'authentication password syntax' )

   Values of this syntax are encoded according to:

      authPasswordValue = w scheme s authInfo s authValue w
      scheme = %x30-39 / %x41-5A / %x2D-2F / %x5F
            ; 0-9, A-Z, "-", ".", "/", or "_"
      authInfo = schemeSpecificValue
      authValue = schemeSpecificValue
              schemeSpecificValue = *( %x21-23 / %x25-7E )
            ; printable ASCII less "$" and " "
      s = w SEP w
      w = *SP
      SEP = %x24 ; "$"
      SP = %x20 ; " " (space)

   where scheme describes the mechanism and authInfo and authValue are a
   scheme specific.  The authInfo field is often a base64 encoded salt.
   The authValue field is often a base64 encoded value derived from a
   user's password(s).  Values of this attribute are case sensitive.






Zeilenga                     Informational