[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: userPassword not SINGLE-VALUE ?



V Alex Brennen writes:
>On Fri, 7 Nov 2003, Ace Suares wrote:
> 
>>  - where is attibutetype userPassword defined ?
> 
> It is defined in core.schema.

No, it is hard-coded into slapd, in servers/slapd/schema_prep.c.

> If it is commented out in your installation, you should not have been
> able to add any values for it.

What do you you mean?  It's commented out in core.schema because
it's defined elsewhere, that's all.

>> - if so, how does an application (qmail, proftpd, whatever)
>>   determine which userPassword to use ? Will it always use
>>   'the first' ?

Slapd tries all of them.

> It can be application dependent depending on how the author
> of the application decided to implement the authentication.

Applications shouldn't read and check userPassword at all.  They
shouldn't even be able to: the server should make userPassword
unreadable.  That is, the sysadmin should put something like this in
slapd.conf:

   access to attr=userPassword by * ssf=128 auth

which only gives 'auth' access to userPassword, and that only when TLS
is in use (so users are not encouraged to send plaintext passwords over
the net.)

-- 
Hallvard