[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP 2.0 and its crazy userPassword usage



At 01:48 PM 5/12/01, Michael Ströder wrote:
>What's the purpose of having multi-valued password attributes?

To allow an entity to have multiple passwords, of course.  With
authPassword, the attribute allows multiple derived values of
the same password.

>Changing the password with userPassword and hash-scheme would be as
>follows:
>- Check which one is the old password by iterating over all values
>of userPassword values and comparing the hashed password to the
>values.
>- Modify the list of userPassword attribute values such that only
>the old password is changed (with appropriate hashing scheme).
>
>Is that right? Would be kinda strange...

That would be one approach.  But there are other approaches.d
Clients should just use the password modify extended operation
and let the server do the right thing.  Otherwise the client
needs to have apriori knowledge of how the server manages
authentication secrets.