Messaging Server: Best Practices for userPassword Attribute

There was a question posed the other day about what, if any, character limitations there are for the userPassword attribute in our schema. The questioner pointed out that for the uid attribute, a number of characters are disallowed, including:

$ ~ = # \* + % ! @ , { } ( ) / < \\> ; : " ” [ ] & ?

Apparently, there are no such restrictions on the userPassword attribute. One of our Messaging experts reports to have seen most, if not all, of the disallowed characters for the uid attribute used in the userPassword attribute.

However, this does not necessarily mean that it is a good idea to consider all of these characters for use in the userPassword attribute.

In general, best practice would be to disallow characters that can be confused by a Unix shell or web page to be a seperator, wildcard, grouping symbol, or other meta character. For example, think about what could happen to a migration script or LDIF output that had userPassword: !/bin/sh;rm -r /\*. Instead of just reading the password characters, imagine the damage this could cause if a typo or bad code spawned the command.

The takeway: Just because something is "allowed" doesn't make it a good practice.

Note: uid, which is a synonym for userID (defined in RFC 1274), is used by Messaging Server not only for logging in, but also in hashed form, to specify part of the file path where user messages are stored. Thus, Messaging Server needs additional restrictions on the uid so that the file path constructed using the uid is good and safe. Furthermore, to avoid ambiguity with IMAP ACL syntax, the Message Store also enforces a restriction that the leading character of the uid cannot be a hyphen (-).

Hat tip KH and DL.

Comments:

Wow.. where is that building located? Oh and yes, good tip! :)

Posted by Jeremy Russell on April 17, 2008 at 05:12 AM MDT #

Gehry's "Dancing Building" in Prague.

Posted by Joe Sciallo on April 17, 2008 at 05:31 AM MDT #

Post a Comment:
  • HTML Syntax: NOT allowed
About

Reporting about Unified Communications Suite Documentation, including news, Comms 101, documentation updates, and tips and tricks.

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today