[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Multiple passwords. Configurable bind attribute. Etc..

At present, slapd(8) itself will only use userPassword to
verify the directory user's password.  Applications, of
course, may or may not use userPassword to verify
application user passwords.  See the documentation
for particular applications to see what their
capabilities are.


At 02:01 PM 8/30/2004, Erik Forsberg wrote:
>At a site where I'm involved, several systems are or are not available
>to a certain user. For example, a user can have:
>* One account on the internal network, with Linux and Windows systems.
>* One account on a web site.
>* One account on a demo Linux system.
>I'm now thinking about assembling all different accounts and their
>authentication information into one single database, and an LDAP
>database might fit my needs.
>My Problem
>Now, if all accounts were to be accessible by using the same password,
>this would be easy. I'd just use pam_ldap/nss_ldap on the Linux
>systems, configure Samba to store passwords in LDAP and modify the web
>sites to use the LDAP as a password backend.
>However, things are not that simple. I'd like the passwords for the
>internal network to be different from the ones for the demo Linux
>system, since the expected security level (possibility of hostile
>software) is much higher on the latter. I don't want an attacker that
>gains root access on the demo system to be able to snoop passwords
>that can be used to access the internal systems.
>Still, I'd like all accounts to be assembled in one place for easy
>maintainabillity. The demo Linux system should preferrably be a
>replica of the master LDAP server, but not a complete replica, only
>the most needed and least sensitive information should be replicated.
>Is a solution that fulfills my needs possible with the help of
>OpenLDAP?  If so, how? 
>A possible solution
>One possible solution, as far as I can see, would be to make it
>configurable which attribute is used as a password attribute when
>doing a bind operation. If it was configurable, I could use one
>attribute for binding from the internal systems, and one for binding
>on the demo Linux system. The attribute I would use for bind
>operations on the internal systems would of course not be replicated
>to the demo system.
>Comments? Suggestions? Would my idea be a good solution for my
>I've read a bit about the slapo-rwm overlay, perhaps that can be used
>as part of the solution?
>Erik Forsberg                 http://www.lysator.liu.se/~forsberg/
>GPG/PGP Key: 1024D/0BAC89D9