Re: Defining a password attributetype

[Michael Ströder <michael@stroeder.com>]

Rob Tanner wrote:
> When I'm adding an attribute to my private schema and I'm not sure of
> the syntax OID, I look for a similar attribute in the schema included in
> the openLDAP distribution.  The problem is that 'userPassword' is
> apparently defined by the software since I can't find it in any of the
> schema.  If I encode the 'tempPassword' exactly the same as I encode
> 'userPassword', I'm guessing that what I'm writing is basically an octet
> string.  Am I right?

1. Use a decent schema browser to examine the whole subschema subentry. This
will also contain schema descriptions hard-coded in slapd (or its overlays).

2. userPassword is declared with OctetString (OID
1.3.6.1.4.1.1466.115.121.1.40). However if in your case you expect the
password to be in clear-text and only contain strings you could type on a
keyboard then DirectoryString (OID 1.3.6.1.4.1.1466.115.121.1.15) might be
more appropriate.

>> Also, I note that while you can define an attribute that's named
>> tempPassword, it will not be used by OpenLDAP for authentication.
>> 'userPassword' is a special case. Similar behaviour could be achieved by
>> writing an overlay, though, if that's what you want.
> 
> That's its the entire purpose.  A number of systems and services
> authenticate to the ldap server.  When users fail to take note of the
> expiry notices they're getting in their email and allow their password
> to expire and, O by the way, don’t remember their own answers to the
> security questions, the support desk will assign them a temporary
> password that the password manager (a webapp) knows how to read. 

IMO that's bad practice. When doing a password reset you should set a random
value in userPassword together with password expiration attribute (slapo-ppolicy).

Ciao, Michael.