[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: multiple password attributes...

tir, 2002-12-10 kl. 23:36 skrev Paul Reilly:

> > GQ can give uid Torgeir 2 completely different passwords, one crypt and
> > one clear text, and he can do a pam_ldap based login to a system
> >
> Is it storing it in two different Password attributes?

2 different attributes, yes. This is with Openldap 2.1.8 and BDB 4.1.24.
I reckon that it's an anomaly. It's in core.schema, but commented out,
so I suppose it's built in, somehow. The comment says. RFC2256/2307:
password of user - I haven't looked at the rfcs.

> > terminal (on the same machine) with either one. Now all we have to do is
> > to get each different service to allow just one of them.

> Yes I had heard of this setup you mention. But how do you tell which
> service goes to which password field? How does OpenLDAP know to bind to the
> userPassword field anyway?

I don't know how you'd get standard apps to choose the right password.
You could write a shell /C routine that checks, I've done that in the
past with Korn shell and it works very well. Openldap uses pam_ldap in
this case, which seems to accept either password.




Tony Earnshaw

When all's said and done ...
there's nothing left to say or do.

e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl