[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: userPassword not SINGLE-VALUE ?

To: OpenLDAP Software List <openldap-software@OpenLDAP.org>
Subject: Re: userPassword not SINGLE-VALUE ?
From: Ace Suares <ace@suares.nl>
Date: Sat, 8 Nov 2003 09:47:26 -0400
Content-description: clearsigned data
Content-disposition: inline
In-reply-to: <003601c3a5d1$64313440$1801a8c0@CELLO>
Organization: Ace Suares' Internet Consultancy
References: <003601c3a5d1$64313440$1801a8c0@CELLO>
User-agent: KMail/1.5.1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Thank you, very much, both of you!
That was a clear answer to my question.

> In OpenLDAP 2.1 the definition is hardcoded in slapd, which is why it's
> been commented out of the core.schema file.

How do I find out which attributes have been hardcoded into OpenLDAP ?
I tried 'uid' and it seems to be a multivalued attribute to, that is not 
defined in one of the schema's. 

> > Yes, userPassword is meant to be Multivalued.  This is useful
> > if you're working with legacy systems and attempting to a
> > migration of a service such as unix user authentication in
> > which some systems may be able to support a more secure
> > password format such as MD5 hash over traditional unix
> > crypt.

> Applications generally don't (and can't) use the userPassword attribute
> directly. This attribute is used by the LDAP server for authenticating
> connections to the LDAP service. On a typical installation with reasonable
> ACLs, applications don't even have the access to read the attribute, let
> alone discover that it contains multiple values. It's a non-issue at the
> application level.

Except for webinterface-applications that let the user change their password, 
I assume.

This is something that bothers me - if a user wants to change a password, 
he/she need write access and automagically has read access. Why is there not 
such thing as 'change' access level ?

For a userPassword, auth+change would be better than auth+write, wouldn't it ? 
(I know write encopasses all the other access levels).

I have similar thoughts about adding an entry and then restrict the 
possibility of modifying or deleting it. Why is there no such thing as 'add' 
access level ? How did the set xcsrw access-levels came into being? Who 
designed this limited set, and was there a good reason to do so? Can it be 
changed (probably with RFC ?).

I am also wondering if no one else feels the currect access levels of ldap a 
problem. Please respond, I'd really like to hear opnions!

Cheers,
ace


website: http://www.suares.nl * http://www.qwikzite.nl
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux)

iD8DBQE/rPPwy7boE8xtIjURAkV6AJ43JcRasubPjjbuZcsQCMSrRtbf3wCggHry
96tQdJAgxegbsyoaE9HYVGo=
=7JBp
-----END PGP SIGNATURE-----

Follow-Ups:
- Re: userPassword not SINGLE-VALUE ?
  - From: Peter Marschall <peter@adpm.de>

References:
- RE: userPassword not SINGLE-VALUE ?
  - From: "Howard Chu" <hyc@symas.com>

Prev by Date: Re: load balancing OpenLDAP
Next by Date: Re: userPassword not SINGLE-VALUE ?
Index(es):
- Chronological
- Thread