[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
slapo-ppolicy, ppolicy_hash_cleartext and multiple userPassword values
- To: openldap-devel@OpenLDAP.org
- Subject: slapo-ppolicy, ppolicy_hash_cleartext and multiple userPassword values
- From: "Pierangelo Masarati" <ando@sys-net.it>
- Date: Tue, 13 Jun 2006 18:59:47 +0200 (CEST)
- Importance: Normal
- User-agent: SquirrelMail/1.4.3a-1
The code in slapo-ppolicy only cares about the first value of a password
stored by an ADD or MODIFY operation for both strenght and automatic
hashing; wouldn't it be better to forbid multiple values as part of the
password policy? I wonder if this should be considered an implementation
detail or worth discussing on the ldapext list? Draft behera actually
states
The policy described in this document assumes that the password
attribute holds a single value. No considerations are made for
directories or systems that allow a user to maintain multi-valued
password attributes.
so, as soon as the overlay is in use, the implementation should be free to
either enforce one value or check/hash all, if the latter makes any sense.
p.
Ing. Pierangelo Masarati
Responsabile Open Solution
OpenLDAP Core Team
SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office: +39.02.23998309
Mobile: +39.333.4963172
Email: pierangelo.masarati@sys-net.it
------------------------------------------