[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#9055) contrib/slapd-modules/passwd/totp improvements

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#9055) contrib/slapd-modules/passwd/totp improvements
From: gv@members.scinet.supercomputing.org
Date: Thu, 18 Jul 2019 21:47:56 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

On Thu, Jul 18, 2019 at 08:32:22PM +0100, Howard Chu wrote:
> it doesn't support setting
> the password using the PasswordModify exop. That seems to imply that users are
> required to generate their passwords using some other tool, and set them using a
> normal Modify op, but doing so is deprecated.

That is correct.

> Password changes should only be done
> using the PasswordModify exop.

I wasn't sure how to do this.  My implementation is essentially
two password checks in one, so I need a way to tell the data
apart.  For the check functions this was easy as the OTP key
is stored base32 encoded, and the DELIM character should not
appear in a base32 string.  For actual password input, I don't
think I can make that assumption.

I think the safest way to hash this scheme would be to have
two separate input prompts, but I didn't see in the existing
code a provision for this.  It's possible I wasn't looking in
the right places.  If you have any suggestions I'd be happy to
try writing that code.

-- 
Greg Veldman
IT Infrastructure Services, Purdue University
gv@purdue.edu | (765)-496-2456

Prev by Date: Re: (ITS#9055) contrib/slapd-modules/passwd/totp improvements
Next by Date: Re: (ITS#9055) contrib/slapd-modules/passwd/totp improvements
Index(es):
- Chronological
- Thread