[Date Prev][Date Next]
Re: OpenLDAP 2.0 and its crazy userPassword usage
"Kurt D. Zeilenga" wrote:
> >Changing the password with userPassword and hash-scheme would be as
> >- Check which one is the old password by iterating over all values
> >of userPassword values and comparing the hashed password to the
> >- Modify the list of userPassword attribute values such that only
> >the old password is changed (with appropriate hashing scheme).
> >Is that right? Would be kinda strange...
> That would be one approach. But there are other approaches.d
> Clients should just use the password modify extended operation
> and let the server do the right thing.
Yes, I just had a look at RFC3062 especially since
draft-zeilenga-ldap-authpasswd-05.txt states for authPasswordSyntax:
"Transfer of values of this syntax is strongly discouraged.."
This does make sense but I wonder when we finally manage to have
widely deployed implementations...
> Otherwise the client
> needs to have apriori knowledge of how the server manages
> authentication secrets.
LDAP clients are doing a lot of assumptions anyway... ;-)