[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#5146) slapo-ppolicy
tonni@hetnet.nl wrote:
> I'd like to see ppolicy refuse to accept a multi-value userPassword.
Agreed, this problem is already highlighted in the current code. (See the
FIXME comment in ppolicy.c around line 1556.) We just haven't decided on a
proper solution yet.
It appears that the RFC3112 authPassword suffers from the same problem. If I
were to design all of this today I would have made these attributes
single-valued, and used attribute tags to specify the password hash mechanism.
E.g.,
authPassword;crypt: 0123456789abcd
authPassword;sha1: xxxxxxxxxxxxxx
Since the Password Policy draft *does* include provisions for applying
policies to multiple password attributes, then this problem would no longer exist.
Of course now that userPassword and authPassword already exist, all the good
attribute names are already gone. ;)
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/