[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Multiple passwords


Adrian Overbury wrote:
Now, I created the attribute tempPassword, and made it SUP userPassword, but it doesn't seem to have inherited any of userPassword's functionality, like the ability to hash the entered string with a given scheme (like if I entered {SSHA}password I'd end up with a SHA-1 hashed password) and automatic encoding to base64.

The functionality you mention is
- not part of the LDAP server but part of a client exporting to LDIF (base64 encoding)
- specific to the userPassword attribute, because the extended operation "password modify" only operates on the Attribute named "userPassword". I don't know of any functionality in the LDAP server that hashes the Password when you just modify the userPassword attribute normally.

I know (or, at least, I *think* that userPassword is a multi-valued attribute, so I could just enter another userPassword and let it auth off that, but that defeats the purpose, [...]

Why? It sounds like just what you want.

All of it relies on me being able to create a new password attribute and auth off it, though, so, anyone able to help?

I am not aware of another attribute that OpenLDAP could use for authentication via simple bind.

Since userPassword is a multi-valued attribute, you could simply add a password just before an operator wants to start a "login as user"-session and remove it after a timeout. You'd just have to save the Password string you set in your "service-management software", so you can delete the right one after the operator session ends.

Christian Marg                    mail  : mailto:marg@rz.tu-clausthal.de
Dezernat 2 TU Clausthal           web   : http://www.tu-clausthal.de
D-38678 Clausthal-Zellerfeld      fon   : 05323/72-2107
Germany                           jabber: ifcma@jabber.tu-clausthal.de