[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Multiple passwords

To: Adrian Overbury <adrian@inomial.com>
Subject: Re: Multiple passwords
From: Christian Marg <marg@rz.tu-clausthal.de>
Date: Tue, 05 Feb 2008 17:26:22 +0100
Cc: openldap-software@openldap.org
In-reply-to: <B2D2D4EE-050A-4119-82B9-8BA32853BEB4@inomial.com>
Organization: Rechenzentrum TU Clausthal
References: <B2D2D4EE-050A-4119-82B9-8BA32853BEB4@inomial.com>
User-agent: Thunderbird 2.0.0.9 (Windows/20071031)

Hello,

Adrian Overbury wrote:
[...]

Now, I created the attribute tempPassword, and made it SUP userPassword, but it doesn't seem to have inherited any of userPassword's functionality, like the ability to hash the entered string with a given scheme (like if I entered {SSHA}password I'd end up with a SHA-1 hashed password) and automatic encoding to base64.

The functionality you mention is - not part of the LDAP server but part of a client exporting to LDIF (base64 encoding) - specific to the userPassword attribute, because the extended operation "password modify" only operates on the Attribute named "userPassword". I don't know of any functionality in the LDAP server that hashes the Password when you just modify the userPassword attribute normally.

I know (or, at least, I *think* that userPassword is a multi-valued attribute, so I could just enter another userPassword and let it auth off that, but that defeats the purpose, [...]


Why? It sounds like just what you want.

All of it relies on me being able to create a new password attribute and auth off it, though, so, anyone able to help?

I am not aware of another attribute that OpenLDAP could use for authentication via simple bind.

Since userPassword is a multi-valued attribute, you could simply add a password just before an operator wants to start a "login as user"-session and remove it after a timeout. You'd just have to save the Password string you set in your "service-management software", so you can delete the right one after the operator session ends.

bye
Christian
--
Christian Marg                    mail  : mailto:marg@rz.tu-clausthal.de
Dezernat 2 TU Clausthal           web   : http://www.tu-clausthal.de
D-38678 Clausthal-Zellerfeld      fon   : 05323/72-2107
Germany                           jabber: ifcma@jabber.tu-clausthal.de

Follow-Ups:
- Re: Multiple passwords
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>

References:
- Multiple passwords
  - From: Adrian Overbury <adrian@inomial.com>

Prev by Date: Re: large ldap server recommendation
Next by Date: Re: issues with proxycache overlay
Index(es):
- Chronological
- Thread