[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#3446) ACL val clause ineffective with bind

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#3446) ACL val clause ineffective with bind
From: richton@nbcs.rutgers.edu
Date: Mon, 3 Jan 2005 14:51:26 GMT

> I guess what you intend to do is to allow bind based on some hash
> mechanism only.  I think this possibility should be considered, maybe
> through a different mechanism

OK. The motivating problem at hand (when I found this didn't work) was
that we have some users with one-time password cards. We've coded this as
a "hash" mechanism within OpenLDAP. So an entry might have:

userPassword: {ONETIME}HWTOKEN123
userPassword: {CLEAR}secret


But we have certain services/hosts that should always use OTP, and we
have certain services/hosts that should never use OTP.


If userPassword 'val' worked, I was hoping for something like:

access to userPassword val={CLEAR}*
	by peer=secure.server none
	by dn="cn=OTPOnly" none
	by * auth

to restrict access to non-OTP entries for those with paranoia.

Prev by Date: Re: (ITS#3432) back-sql enhancements
Next by Date: Re: (ITS#3446) ACL val clause ineffective with bind
Index(es):
- Chronological
- Thread