[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Defining a password attributetype

To: Jonathan CLARKE <jonathan.clarke@normation.com>
Subject: Re: Defining a password attributetype
From: Rob Tanner <rtanner@linfield.edu>
Date: Fri, 03 Sep 2010 09:07:55 -0700
Cc: openldap-technical@openldap.org
In-reply-to: <4C80F9A4.2010304@normation.com>
Thread-index: ActLgisI4Clyo30bIUiChjNJmkit+g==
Thread-topic: Defining a password attributetype
User-agent: Microsoft-Entourage/12.26.0.100708

Title: Re: Defining a password attributetype

Hi Jonathan,

On 9/3/10 6:35 AM, "Jonathan CLARKE" <jonathan.clarke@normation.com> wrote:

>
> The syntax defines the type of an attribute, ie what is valid data to be
> stored in it. It is obligatory in an attribute definition.
>
>>
>> The attribute will be SHA encrypted digest encoded as Base64 (same as
>> the standard userPassword attribute). Any guidance on the schema
>> definition would be most appreciated.
>
> The online OpenLDAP Admin Guide has quite a bit of good information on
> defining schemas, including common syntaxes:
>> http://www.openldap.org/doc/admin24/schema.html#Attribute%20Type%20Specificat
>> ion

When I'm adding an attribute to my private schema and I'm not sure of the syntax OID, I look for a similar attribute in the schema included in the openLDAP distribution. The problem is that 'userPassword' is apparently defined by the software since I can't find it in any of the schema. If I encode the 'tempPassword' exactly the same as I encode 'userPassword', I'm guessing that what I'm writing is basically an octet string. Am I right?

>
> Also, I note that while you can define an attribute that's named
> tempPassword, it will not be used by OpenLDAP for authentication.
> 'userPassword' is a special case. Similar behaviour could be achieved by
> writing an overlay, though, if that's what you want.
>

That's its the entire purpose. A number of systems and services authenticate to the ldap server. When users fail to take note of the expiry notices they're getting in their email and allow their password to expire and, O by the way, don’t remember their own answers to the security questions, the support desk will assign them a temporary password that the password manager (a webapp) knows how to read. Using the ‘tempPassword’ attribute that I’m going to create means that they will have access to nothing except the password manager until they reset the password. And, O by the way, have to create a new set of security questions that just maybe they’ll remember the answers to 6 months down the line when they again ignore the expiry notices.

Thanks,
Rob

Rob Tanner
UNIX Services Manager
Linfield College, McMinnville Oregon

Follow-Ups:
- Re: Defining a password attributetype
  - From: Jonathan CLARKE <jonathan.clarke@normation.com>
- Re: Defining a password attributetype
  - From: Michael Ströder <michael@stroeder.com>

References:
- Re: Defining a password attributetype
  - From: Jonathan CLARKE <jonathan.clarke@normation.com>

Prev by Date: Re: Including schema in directory based config?
Next by Date: Re: Defining a password attributetype
Index(es):
- Chronological
- Thread