[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#8083) userPassword rewrite for bind operation

To: openldap-its@OpenLDAP.org
Subject: (ITS#8083) userPassword rewrite for bind operation
From: nespor@id.ethz.ch
Date: Wed, 18 Mar 2015 13:39:58 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

Full_Name: Vlado Nespor
Version: 2.4.40
OS: Linux
URL: ftp://ftp.openldap.org/incoming/vlado-nespor-150318.patch
Submission from: (NULL) (129.132.179.222)


In certain situations users may welcome the possibility 
to authenticate in different applications using the same 
user uid, but an alternative user password value.

In order to avoid the creation of a new user entry, and 
repeating the same values for all user attributes, but the 
attribute userPassword, virtual views (see slapd-relay(5) 
and slapo-rwm(5)) seem to be a good alternative. 

Although the mapping of the userPassword attribute in the 
relay backend configuration works fine for e.g the search 
operation, it does not work for the bind operation. 
For example, for the following configuration in slapd.conf

-----------------------
database	relay
suffix		"ou=webUsers,ou=auth,o=example"
relay		"ou=users,ou=auth,o=example"

overlay			rwm
rwm-suffixmassage	"ou=webUsers,ou=auth,o=example" "ou=users,ou=auth,o=example"
rwm-map			attribute sn *
rwm-map			attribute cn *
rwm-map			attribute uid *
rwm-map			attribute userPassword webUserPassword
rwm-map			attribute *
-----------------------%%0

the search operation in "ou=webUsers,ou=auth,o=example" 
would present the password value stored in the attribute 
webUserPassword (from "ou=users,ou=auth,o=example"). But for 
the bind operation the user has to use the password value 
stored in the attribute userPassword (and not in the 
attribute webUserPassword, as one could expect).

The patch, presented in 

ftp://ftp.openldap.org/incoming/vlado-nespor-150318.patch

aims to extend the functionality of virtual views. With 
the patch applied, the mapping of the attribute userPassword 
in the above example should also work for the user bind 
operation. (In order to use the alternative password value 
stored in webUserPassword, the application (LDAP client) 
just needs to modify the search base.)

The changes in the patch have been tested for simple 
authentication, and they should work for the following 
backends:

back-bdb
back-hdb
back-mdb
back-sql

There are a few examples (configurations and data) in

ftp://ftp.openldap.org/incoming/vlado-nespor-150318-examples.tar

to illustrate the idea and to allow simple tests. 

The patch has been tested in our production (back-hdb) 
for several moths, and there were no problems detected.

Prev by Date: (ITS#8082) slapd leaks memory - using clang to do static analysis
Next by Date: Re: (ITS#8083) userPassword rewrite for bind operation
Index(es):
- Chronological
- Thread