[Date Prev][Date Next]
Re: multiple password attributes...
tir, 2002-12-10 kl. 23:36 skrev Paul Reilly:
> > GQ can give uid Torgeir 2 completely different passwords, one crypt and
> > one clear text, and he can do a pam_ldap based login to a system
> Is it storing it in two different Password attributes?
2 different attributes, yes. This is with Openldap 2.1.8 and BDB 4.1.24.
I reckon that it's an anomaly. It's in core.schema, but commented out,
so I suppose it's built in, somehow. The comment says. RFC2256/2307:
password of user - I haven't looked at the rfcs.
> > terminal (on the same machine) with either one. Now all we have to do is
> > to get each different service to allow just one of them.
> Yes I had heard of this setup you mention. But how do you tell which
> service goes to which password field? How does OpenLDAP know to bind to the
> userPassword field anyway?
I don't know how you'd get standard apps to choose the right password.
You could write a shell /C routine that checks, I've done that in the
past with Korn shell and it works very well. Openldap uses pam_ldap in
this case, which seems to accept either password.
When all's said and done ...
there's nothing left to say or do.