[Date Prev][Date Next]
Does ldappasswd check user's identity?
Now I use OpenLDAP to store certificates and configure simple access rules.
1.all users can search or read entries
2.only the administrator "cn=root,c=cn" can add/delete/modify entries.
Only the entry "cn=root,c=cn" has the attribute "userPassword".
Now I need to write codes to modify the administrator's password--rootpw.
I think rootpw is equal to the value of userPassword,
so I don't need to write rootpw in slapd.conf,am I right?
I can use ldappasswd to change rootdn's userPassword,
BUT,this command doesn't check old password.
It is odd that changing user's password without verify the user's identity.
I don't know whether I misunderstand ldappasswd,if I am wrong please correct me.
But if it is the behavior of ldappasswd,
I want to write a program to improve it in my ldap application.
Below is my design:
1. ask administrator(in my case,only administrator has password and need to change password)
to input oldpswd and newpswd
2. use oldpswd to add a entry to slapd.
if add operation success,the administrator's identity is verified,and delete this entry
if add operation failed,reject the request of change password.
3. execute modify operation,modify the value of attribute "userPassword" of rootdn
from oldpswd to newpswd.
Is this idea feasible?
To implement the idea I have something more to know.
Because the userPassword should be crypted or hashed,
so I wonder whether the crypt or hash algorithm is standard or selfdefined.
If I crypted or hashed the plaintext and put ciphertext to "userPassword" attribute,
can slapd recognize it?
I reviewed the code of ldappasswd.c yesterday.
Oops,as a programmer only used "ldap_open","ldap_add" before, the code is too complicated.
It is a great help if someone tell me how to deal with the crypted or hashed userPassword.
Thank you in advance.