[Date Prev][Date Next]
(ITS#8083) userPassword rewrite for bind operation
Full_Name: Vlado Nespor
Submission from: (NULL) (188.8.131.52)
In certain situations users may welcome the possibility
to authenticate in different applications using the same
user uid, but an alternative user password value.
In order to avoid the creation of a new user entry, and
repeating the same values for all user attributes, but the
attribute userPassword, virtual views (see slapd-relay(5)
and slapo-rwm(5)) seem to be a good alternative.
Although the mapping of the userPassword attribute in the
relay backend configuration works fine for e.g the search
operation, it does not work for the bind operation.
For example, for the following configuration in slapd.conf
rwm-suffixmassage "ou=webUsers,ou=auth,o=example" "ou=users,ou=auth,o=example"
rwm-map attribute sn *
rwm-map attribute cn *
rwm-map attribute uid *
rwm-map attribute userPassword webUserPassword
rwm-map attribute *
the search operation in "ou=webUsers,ou=auth,o=example"
would present the password value stored in the attribute
webUserPassword (from "ou=users,ou=auth,o=example"). But for
the bind operation the user has to use the password value
stored in the attribute userPassword (and not in the
attribute webUserPassword, as one could expect).
The patch, presented in
aims to extend the functionality of virtual views. With
the patch applied, the mapping of the attribute userPassword
in the above example should also work for the user bind
operation. (In order to use the alternative password value
stored in webUserPassword, the application (LDAP client)
just needs to modify the search base.)
The changes in the patch have been tested for simple
authentication, and they should work for the following
There are a few examples (configurations and data) in
to illustrate the idea and to allow simple tests.
The patch has been tested in our production (back-hdb)
for several moths, and there were no problems detected.