[Date Prev][Date Next] [Chronological] [Thread] [Top]

slapo-ppolicy, ppolicy_hash_cleartext and multiple userPassword values

The code in slapo-ppolicy only cares about the first value of a password
stored by an ADD or MODIFY operation for both strenght and automatic
hashing; wouldn't it be better to forbid multiple values as part of the
password policy?  I wonder if this should be considered an implementation
detail or worth discussing on the ldapext list?  Draft behera actually

   The policy described in this document assumes that the password
   attribute holds a single value.  No considerations are made for
   directories or systems that allow a user to maintain multi-valued
   password attributes.

so, as soon as the overlay is in use, the implementation should be free to
either enforce one value or check/hash all, if the latter makes any sense.


Ing. Pierangelo Masarati
Responsabile Open Solution
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
Office:   +39.02.23998309          
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it