Re: [ldapext] [Fwd: Re: [OpenDS-users] LDAP Password Modify Extended Operation]

[Michael Ströder <michael@stroeder.com>]

Howard Chu wrote:
> On the flip side, using an explicitly tagged authzID has the advantage 
> of not making the server try to guess what form of userID has been 
> provided...

Yes, this could lead to serious issues.

> As a complete aside, there seems to be a disconnect here - it appears 
> that there ought to be a way to specify which password validation 
> mechanism's password is being changed. E.g., it's possible for a user to 
> have a valid directory entry with a local userPassword attribute, as 
> well as a valid password in an external store, e.g. sasldb. (Ugly, but 
> this used to come up frequently.) The local userPassword would be used 
> for Simple Binds, and the sasldb would be used for SASL Binds. Similarly 
> for SASL Binds, not all mechs will necessarily use the same password, so 
> it may be desirable to specify which mech's password to set. (E.g., 
> SASL/OTP)

Most times there is already a server-side mapping from authc-ID to 
authz-ID in form of a DN. So if the authz-ID is sent in form of a DN for 
userIdentity in the PasswdModifyRequestValue the server has to apply the 
reverse mapping to find the accompanying authc-ID for which to change 
the password.

Ciao, Michael.
_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www.ietf.org/mailman/listinfo/ldapext