[Date Prev][Date Next] [Chronological] [Thread] [Top]

slapo-ppolicy, ppolicy_hash_cleartext and multiple userPassword values

To: openldap-devel@OpenLDAP.org
Subject: slapo-ppolicy, ppolicy_hash_cleartext and multiple userPassword values
From: "Pierangelo Masarati" <ando@sys-net.it>
Date: Tue, 13 Jun 2006 18:59:47 +0200 (CEST)
Importance: Normal
User-agent: SquirrelMail/1.4.3a-1

The code in slapo-ppolicy only cares about the first value of a password
stored by an ADD or MODIFY operation for both strenght and automatic
hashing; wouldn't it be better to forbid multiple values as part of the
password policy?  I wonder if this should be considered an implementation
detail or worth discussing on the ldapext list?  Draft behera actually
states

   The policy described in this document assumes that the password
   attribute holds a single value.  No considerations are made for
   directories or systems that allow a user to maintain multi-valued
   password attributes.

so, as soon as the overlay is in use, the implementation should be free to
either enforce one value or check/hash all, if the latter makes any sense.

p.



Ing. Pierangelo Masarati
Responsabile Open Solution
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309          
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it
------------------------------------------

Follow-Ups:
- Re: slapo-ppolicy, ppolicy_hash_cleartext and multiple userPassword values
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: commit: ldap/servers/slapd backglue.c
Next by Date: Re: slapo-ppolicy, ppolicy_hash_cleartext and multiple userPassword values
Index(es):
- Chronological
- Thread