Re: slapo-ppolicy, ppolicy_hash_cleartext and multiple userPassword values

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 09:59 AM 6/13/2006, Pierangelo Masarati wrote:
>The code in slapo-ppolicy only cares about the first value of a password
>stored by an ADD or MODIFY operation for both strenght and automatic
>hashing; wouldn't it be better to forbid multiple values as part of the
>password policy?  I wonder if this should be considered an implementation
>detail or worth discussing on the ldapext list?  Draft behera actually
>states
>
>   The policy described in this document assumes that the password
>   attribute holds a single value.  No considerations are made for
>   directories or systems that allow a user to maintain multi-valued
>   password attributes.
>
>so, as soon as the overlay is in use, the implementation should be free to
>either enforce one value or check/hash all, if the latter makes any sense.

My opinion is that it should a policy issue as to whether
an entity can have multiple passwords or not.  But given
the limitations of the draft, returning an constraintViolation
error (or other appropriate error) on attempts to add multiple
passwords would be proper.



>p.
>
>
>
>Ing. Pierangelo Masarati
>Responsabile Open Solution
>OpenLDAP Core Team
>
>SysNet s.n.c.
>Via Dossi, 8 - 27100 Pavia - ITALIA
>http://www.sys-net.it
>------------------------------------------
>Office:   +39.02.23998309          
>Mobile:   +39.333.4963172
>Email:    pierangelo.masarati@sys-net.it
>------------------------------------------