[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP 2.0 and its crazy userPassword usage



"Kurt D. Zeilenga" wrote:
> 
> At 06:16 AM 5/12/01, Michael Ströder wrote:
> >"Kurt D. Zeilenga" wrote:
> >>
> >> This '{SCHEME}' stuff is experimental.  Hopefully
> >> will eventually die out in favor of the authPassword (which
> >> is specifically designed to hold hashed passwords).
> >
> >Any server-side implementations of the authPassword I-D yet?
> 
> I believe they are in the works.

For the fun of it I started reading
draft-zeilenga-ldap-authpasswd-05.txt.
There is written: "A matching rule is provided for use with
extensible search filters to allow clients to assert that a clear
text password "matches" one of the attribute's values.
[..]
AuthPassword does not restrict an authentication identity to a
single password."

Oops. I was not aware of password attributes being meant as
multi-valued.

Reviewed core.schema shipped with OpenLDAP 2.0.8:

---------------- snip --------------
attributetype ( 2.5.4.35 NAME 'userPassword'
        EQUALITY octetStringMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} )
---------------- snip --------------

Seems also to be multi-valued. Hmm...

What's the purpose of having multi-valued password attributes?

Changing the password with userPassword and hash-scheme would be as
follows:
- Check which one is the old password by iterating over all values
of userPassword values and comparing the hashed password to the
values.
- Modify the list of userPassword attribute values such that only
the old password is changed (with appropriate hashing scheme).

Is that right? Would be kinda strange...

Ciao, Michael.