[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: OpenLDAP 2.0 and its crazy userPassword usage
"Kurt D. Zeilenga" wrote:
>
> At 06:16 AM 5/12/01, Michael Ströder wrote:
> >"Kurt D. Zeilenga" wrote:
> >>
> >> This '{SCHEME}' stuff is experimental. Hopefully
> >> will eventually die out in favor of the authPassword (which
> >> is specifically designed to hold hashed passwords).
> >
> >Any server-side implementations of the authPassword I-D yet?
>
> I believe they are in the works.
For the fun of it I started reading
draft-zeilenga-ldap-authpasswd-05.txt.
There is written: "A matching rule is provided for use with
extensible search filters to allow clients to assert that a clear
text password "matches" one of the attribute's values.
[..]
AuthPassword does not restrict an authentication identity to a
single password."
Oops. I was not aware of password attributes being meant as
multi-valued.
Reviewed core.schema shipped with OpenLDAP 2.0.8:
---------------- snip --------------
attributetype ( 2.5.4.35 NAME 'userPassword'
EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} )
---------------- snip --------------
Seems also to be multi-valued. Hmm...
What's the purpose of having multi-valued password attributes?
Changing the password with userPassword and hash-scheme would be as
follows:
- Check which one is the old password by iterating over all values
of userPassword values and comparing the hashed password to the
values.
- Modify the list of userPassword attribute values such that only
the old password is changed (with appropriate hashing scheme).
Is that right? Would be kinda strange...
Ciao, Michael.