[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Applications, authentication, and hashing methods..

> > You may have different passwords by utilizing different password
> > attributes, viz: userPassword, clearPassword etc, as, for example,
> > Courier IMAP implements. But it's then up to your application to
> > implement them - and they're an utter waste of endeavor in any case. As
> > Luca pointed out.
> But then the schemas that you have loaded have to support those
> different attributes, for which you'll need to incorporate the necessary
> extra objectclasses.

I've done this to meet some regulatory issues (big brother says data XYZ
must be shielded by a second secret; so wether or not it actually helps
security isn't an issue).

Simply have authentication for that application use a specific search
base (some organizational unit) that contains something like
simpleSecurityObjects for each person/entity that should have access. 
They can use their 'real' account, to search for the DN of that
secondary object, and then if they can bind as that DN with the password
there.....  It's a bit gnarly but it works.