RFC 3112 (rfc3112) - Page 2 of 9
LDAP Authentication Password Schema
Alternative Format: Original Text Document
RFC 3112 LDAP Authentication Password Schema May 2001
hash algorithm/implementation is flawed), the hashing of passwords is
intended to be as an additional layer of protection. It is
RECOMMENDED that hashed values be protected as if they were clear
text passwords.
This attribute may be used in conjunction with server side password
generation mechanisms (such as the LDAP Password Modify [RFC 3062]
extended operation).
Access to this attribute may governed by administrative controls such
as those which implement password change policies.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", and "MAY" in this document are
to be interpreted as described in RFC 2119 [RFC 2119].
2. Schema Definitions
The following schema definitions are described in terms of LDAPv3
Attribute Syntax Definitions [RFC 2252] with specific syntax detailed
using Augmented BNF [RFC 2234].
2.1. authPasswordSyntax
( 1.3.6.1.4.1.4203.1.1.2
DESC 'authentication password syntax' )
Values of this syntax are encoded according to:
authPasswordValue = w scheme s authInfo s authValue w
scheme = %x30-39 / %x41-5A / %x2D-2F / %x5F
; 0-9, A-Z, "-", ".", "/", or "_"
authInfo = schemeSpecificValue
authValue = schemeSpecificValue
schemeSpecificValue = *( %x21-23 / %x25-7E )
; printable ASCII less "$" and " "
s = w SEP w
w = *SP
SEP = %x24 ; "$"
SP = %x20 ; " " (space)
where scheme describes the mechanism and authInfo and authValue are a
scheme specific. The authInfo field is often a base64 encoded salt.
The authValue field is often a base64 encoded value derived from a
user's password(s). Values of this attribute are case sensitive.
Zeilenga Informational