[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP 2.0 and its crazy userPassword usage

"Kurt D. Zeilenga" wrote:
> At 06:16 AM 5/12/01, Michael Ströder wrote:
> >"Kurt D. Zeilenga" wrote:
> >>
> >> This '{SCHEME}' stuff is experimental.  Hopefully
> >> will eventually die out in favor of the authPassword (which
> >> is specifically designed to hold hashed passwords).
> >
> >Any server-side implementations of the authPassword I-D yet?
> I believe they are in the works.

For the fun of it I started reading
There is written: "A matching rule is provided for use with
extensible search filters to allow clients to assert that a clear
text password "matches" one of the attribute's values.
AuthPassword does not restrict an authentication identity to a
single password."

Oops. I was not aware of password attributes being meant as

Reviewed core.schema shipped with OpenLDAP 2.0.8:

---------------- snip --------------
attributetype ( NAME 'userPassword'
        EQUALITY octetStringMatch
        SYNTAX{128} )
---------------- snip --------------

Seems also to be multi-valued. Hmm...

What's the purpose of having multi-valued password attributes?

Changing the password with userPassword and hash-scheme would be as
- Check which one is the old password by iterating over all values
of userPassword values and comparing the hashed password to the
- Modify the list of userPassword attribute values such that only
the old password is changed (with appropriate hashing scheme).

Is that right? Would be kinda strange...

Ciao, Michael.