Re: second userpassword?

[Stephan Siano <stephan.siano@suse.de>]

On Thursday, 14. March 2002 09:14, Susanne Benkert wrote:

> I know that userPassword is a "multiple values attribute" but that
> doesn't really help me, because I have to use different passwords for
> different services and different levels of security. If I just create a
> second userpassword always both where checked - as far as I tested it -
> and if one fits the user is authenticated.
>
> We found out that the objectclass sambaAccount includes two more
> password-attributes (lmpassword and ntpassword) that can be used for
> Windows and Linux, so there have to be a way to create own
> password-attributes(?)

> Has anybody already tried something like this? Or are there any other
> possibilities?

You must differentiate between two kind of passwords. 

1. passwords for doing a LDAP simple bind. There is only one simple bind 
request, so there is also just one kind of password (the userPassword 
attribute).

2. other passwords handled by applications. The lmpassword attribute from the 
SAMBA stuff is such a beast. From the LDAP point of view, this is just normal 
data. You can't do an LDAP bind against this password, but an application may 
read it and do the authentication by itself (the application has to care 
about hashes etc.) The application will need read permission on the attribute 
(auth is not sufficient).

Yours
Stephan Siano

-- 
Stephan Siano                           Mail:  Stephan.Siano@suse.de
SuSE Linux AG                           Phone: 06196 50951 31
CU PS DU South TCC UC                   Fax:   06196 409607
Mergenthalerallee 45-47	
D-65760 Eschborn