[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: multiple password attributes...

To: Paul Reilly <pareilly@tcd.ie>
Subject: Re: multiple password attributes...
From: Tony Earnshaw <tonni@billy.demon.nl>
Date: 11 Dec 2002 07:59:52 +0100
Cc: "openldap-software@OpenLDAP.org" <openldap-software@OpenLDAP.org>
In-reply-to: <Pine.OSF.4.43L0.0212102234400.115334-100000@web2.tcd.ie>
Organization:
References: <Pine.OSF.4.43L0.0212102234400.115334-100000@web2.tcd.ie>

tir, 2002-12-10 kl. 23:36 skrev Paul Reilly:

> > GQ can give uid Torgeir 2 completely different passwords, one crypt and
> > one clear text, and he can do a pam_ldap based login to a system
> >
> Is it storing it in two different Password attributes?

2 different attributes, yes. This is with Openldap 2.1.8 and BDB 4.1.24.
I reckon that it's an anomaly. It's in core.schema, but commented out,
so I suppose it's built in, somehow. The comment says. RFC2256/2307:
password of user - I haven't looked at the rfcs.

> > terminal (on the same machine) with either one. Now all we have to do is
> > to get each different service to allow just one of them.

> Yes I had heard of this setup you mention. But how do you tell which
> service goes to which password field? How does OpenLDAP know to bind to the
> userPassword field anyway?

I don't know how you'd get standard apps to choose the right password.
You could write a shell /C routine that checks, I've done that in the
past with Korn shell and it works very well. Openldap uses pam_ldap in
this case, which seems to accept either password.

Best,

Tony


-- 

Tony Earnshaw

When all's said and done ...
there's nothing left to say or do.

e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl

References:
- Re: multiple password attributes...
  - From: Paul Reilly <pareilly@tcd.ie>

Prev by Date: Re: backup of only the delta changes
Next by Date: problem with multiple replica
Index(es):
- Chronological
- Thread