[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Multiple passwords

To: Christian Marg <marg@rz.tu-clausthal.de>
Subject: Re: Multiple passwords
From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Date: Tue, 5 Feb 2008 20:57:36 +0100
Cc: Adrian Overbury <adrian@inomial.com>, openldap-software@openldap.org
In-reply-to: <47A88E2E.1050908@rz.tu-clausthal.de>
References: <B2D2D4EE-050A-4119-82B9-8BA32853BEB4@inomial.com> <47A88E2E.1050908@rz.tu-clausthal.de>

Christian Marg writes:
> Since userPassword is a multi-valued attribute, you could simply add a
> password just before an operator wants to start a "login as
> user"-session and remove it after a timeout. You'd just have to save the
> Password string you set in your "service-management software", so you
> can delete the right one after the operator session ends.

And that service-management's password store can be a tempPassword
LDAP attribute.  Stored _in addition_ to userPassword in LDAP.

If two operators want to log in as the same users at approximately the
same time, do two tempPasswords get created?  If so each must be
associated with its own timestamp.  In LDAP that's simplest done by
putting the timestamp and password in the same attribute, e.g. with
tempPasswordInfo = "timestamp#password".  It should have Octet String
syntax since userPassoword does.

Assuming he needs to create those passwords at all and can't use SASL
like Dan suggested, of course.

-- 
Hallvard

References:
- Multiple passwords
  - From: Adrian Overbury <adrian@inomial.com>
- Re: Multiple passwords
  - From: Christian Marg <marg@rz.tu-clausthal.de>

Prev by Date: problem with cleartext password setup
Next by Date: Re: problem with cleartext password setup
Index(es):
- Chronological
- Thread