[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: userPassword not SINGLE-VALUE ?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Thank you, very much, both of you!
That was a clear answer to my question.
> In OpenLDAP 2.1 the definition is hardcoded in slapd, which is why it's
> been commented out of the core.schema file.
How do I find out which attributes have been hardcoded into OpenLDAP ?
I tried 'uid' and it seems to be a multivalued attribute to, that is not
defined in one of the schema's.
> > Yes, userPassword is meant to be Multivalued. This is useful
> > if you're working with legacy systems and attempting to a
> > migration of a service such as unix user authentication in
> > which some systems may be able to support a more secure
> > password format such as MD5 hash over traditional unix
> > crypt.
> Applications generally don't (and can't) use the userPassword attribute
> directly. This attribute is used by the LDAP server for authenticating
> connections to the LDAP service. On a typical installation with reasonable
> ACLs, applications don't even have the access to read the attribute, let
> alone discover that it contains multiple values. It's a non-issue at the
> application level.
Except for webinterface-applications that let the user change their password,
I assume.
This is something that bothers me - if a user wants to change a password,
he/she need write access and automagically has read access. Why is there not
such thing as 'change' access level ?
For a userPassword, auth+change would be better than auth+write, wouldn't it ?
(I know write encopasses all the other access levels).
I have similar thoughts about adding an entry and then restrict the
possibility of modifying or deleting it. Why is there no such thing as 'add'
access level ? How did the set xcsrw access-levels came into being? Who
designed this limited set, and was there a good reason to do so? Can it be
changed (probably with RFC ?).
I am also wondering if no one else feels the currect access levels of ldap a
problem. Please respond, I'd really like to hear opnions!
Cheers,
ace
website: http://www.suares.nl * http://www.qwikzite.nl
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux)
iD8DBQE/rPPwy7boE8xtIjURAkV6AJ43JcRasubPjjbuZcsQCMSrRtbf3wCggHry
96tQdJAgxegbsyoaE9HYVGo=
=7JBp
-----END PGP SIGNATURE-----