[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5146) slapo-ppolicy

tonni@hetnet.nl wrote:
> I'd like to see ppolicy refuse to accept a multi-value userPassword.

Agreed, this problem is already highlighted in the current code. (See the 
FIXME comment in ppolicy.c around line 1556.) We just haven't decided on a 
proper solution yet.

It appears that the RFC3112 authPassword suffers from the same problem. If I 
were to design all of this today I would have made these attributes 
single-valued, and used attribute tags to specify the password hash mechanism. 
	authPassword;crypt: 0123456789abcd
	authPassword;sha1: xxxxxxxxxxxxxx

Since the Password Policy draft *does* include provisions for applying 
policies to multiple password attributes, then this problem would no longer exist.

Of course now that userPassword and authPassword already exist, all the good 
attribute names are already gone. ;)
   -- Howard Chu
   Chief Architect, Symas Corp.  http://www.symas.com
   Director, Highland Sun        http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP     http://www.openldap.org/project/