Re: how to change userPassword in overlay...

[Hallvard B Furuseth <h.b.furuseth@usit.uio.no>]

Marcin Giedz writes:
>Hallvard B Furuseth wrote:
>> Not sure what "with respect to previous password hash" means, if not
>> EXOP_MODIFY_PASSWD.
>
> I mean. If userPassword uses md5 hash change it to new one but keep/use
> the same hash.

Oh.  Just grab the old one, ignoring any access control rules, and see
if it starts with '{something}'.  Note that if it does but slapd doesn't
know a hash method with that name, it may be because it comes from some
other installation which does recognize it.  In that case you can either
fail or use some hash method which you or slapd do know.

>>   That's exactly what it does.  You just need an
>> overlay in addition, to spawn updates to other entires.  And if you want
>> to catch add and modify operations too, the overlay can do that as well.
>>
> So as I understand:
> 1) in my overlay check if EXOP_MODIFY is trigged if so let him do the job

And you can't do it with plain modify operations if the target
uses a different hash than the modify operation does, since you can't
decode the modify operation's hash.

> 2) then back to my overlay and "search and modify" the other entries of
> userPassword, right?

Yes.  Unless you want to search and replace first and modify the
requested entry afterwards, so any failure in the other entries will
leave the requested entry unmodified.  Either way has it advantages.

In case of BDB, maybe you can also get a transaction where you can
rollback your changes if any change fail.  I don't know.


BTW, remember that the userPassword attribute is multi-valued.  One
can match the submitted passwords, others not.  Or several can match
it, but with different hash methods.

Also, you may find user entries without userPassword.  Do you add one,
or not?

-- 
Regards,
Hallvard