[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP 2.0 and its crazy userPassword usage

To: michael@stroeder.com
Subject: Re: OpenLDAP 2.0 and its crazy userPassword usage
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Sat, 12 May 2001 14:27:13 -0700
Cc: openldap-software@OpenLDAP.org
In-reply-to: <3AFDA192.6955709C@stroeder.com>
References: <5.1.0.14.0.20010511171154.00aa2830@127.0.0.1> <5.1.0.14.0.20010512131451.00accec0@127.0.0.1>

At 01:48 PM 5/12/01, Michael Ströder wrote:
>What's the purpose of having multi-valued password attributes?

To allow an entity to have multiple passwords, of course.  With
authPassword, the attribute allows multiple derived values of
the same password.

>Changing the password with userPassword and hash-scheme would be as
>follows:
>- Check which one is the old password by iterating over all values
>of userPassword values and comparing the hashed password to the
>values.
>- Modify the list of userPassword attribute values such that only
>the old password is changed (with appropriate hashing scheme).
>
>Is that right? Would be kinda strange...

That would be one approach.  But there are other approaches.d
Clients should just use the password modify extended operation
and let the server do the right thing.  Otherwise the client
needs to have apriori knowledge of how the server manages
authentication secrets.

Follow-Ups:
- Re: OpenLDAP 2.0 and its crazy userPassword usage
  - From: Michael Ströder <michael@stroeder.com>

References:
- Re: OpenLDAP 2.0 and its crazy userPassword usage
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: OpenLDAP 2.0 and its crazy userPassword usage
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: OpenLDAP 2.0 and its crazy userPassword usage
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: Re: OpenLDAP 2.0 and its crazy userPassword usage
Next by Date: Re: OpenLDAP 2.0 and its crazy userPassword usage
Index(es):
- Chronological
- Thread